Enabled security while serving static files

Signed-off-by: Vishal Rana <vr@labstack.com>
2025-07-17 01:43:02 +02:00 · 2017-02-22 14:21:28 -08:00
parent 91d2727522
commit d259f88324
2 changed files with 7 additions and 4 deletions
--- a/echo.go
+++ b/echo.go
@ -46,6 +46,7 @@ import (
 	"net"
 	"net/http"
 	"path"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"sync"
@ -403,7 +404,8 @@ func (e *Echo) Static(prefix, root string) {

 func static(i i, prefix, root string) {
 	h := func(c Context) error {
-		return c.File(path.Join(root, c.Param("*")))
+		name := filepath.Join(root, path.Clean("/"+c.Param("*"))) // `/` for security
+		return c.File(name)
 	}
 	i.GET(prefix, h)
 	if prefix == "/" {
--- a/middleware/static.go
+++ b/middleware/static.go
@ -3,6 +3,7 @@ package middleware
 import (
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"

@ -66,11 +67,11 @@ func StaticWithConfig(config StaticConfig) echo.MiddlewareFunc {

 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			path := c.Request().URL.Path
+			p := c.Request().URL.Path
 			if strings.HasSuffix(c.Path(), "*") { // When serving from a group, e.g. `/static*`.
-				path = c.Param("*")
+				p = c.Param("*")
 			}
-			name := filepath.Join(config.Root, path)
+			name := filepath.Join(config.Root, path.Clean("/"+p)) // "/"+ for security

 			fi, err := os.Stat(name)
 			if err != nil {