fix issue 4946 (#4954)

* Update tree.go

fix issue 4946 CVE-2022-31259

CHANGELOG.md

@@ -8,6 +8,7 @@
 - [Support lifecycle callback](https://github.com/beego/beego/pull/4918)
 - [Append column comments to create table sentence when using postgres](https://github.com/beego/beego/pull/4940)
 - [logs: multiFileLogWriter uses incorrect formatter](https://github.com/beego/beego/pull/4943)
+- [fix issue 4946 CVE-2022-31259](https://github.com/beego/beego/pull/4954)
 
 # v2.0.2
 See v2.0.2-beta.1

server/web/tree.go

@@ -341,9 +341,9 @@ func (t *Tree) match(treePattern string, pattern string, wildcardValues []string
 	if runObject == nil && len(t.fixrouters) > 0 {
 		// Filter the .json .xml .html extension
 		for _, str := range allowSuffixExt {
-			if strings.HasSuffix(seg, str) && strings.HasSuffix(treePattern, seg) {
+			// pattern == "" avoid cases: /aaa.html/aaa.html could access /aaa/:bbb
+			if strings.HasSuffix(seg, str) && pattern == "" {
 				for _, subTree := range t.fixrouters {
-					// strings.HasSuffix(treePattern, seg) avoid cases: /aaa.html/bbb could access /aaa/bbb
 					if subTree.prefix == seg[:len(seg)-len(str)] {
 						runObject = subTree.match(treePattern, pattern, wildcardValues, ctx)
 						if runObject != nil {

server/web/tree_test.go

@@ -122,6 +122,9 @@ func init() {
 		notMatchTestInfo(abcSuffix, "/abc/suffix.html/a"),
 		matchTestInfo(abcSuffix, "/abc/suffix/a", nil),
 		notMatchTestInfo(abcSuffix, "/abc.j/suffix/a"),
+		// test for fix of issue 4946
+		notMatchTestInfo("/suffix/:name", "/suffix.html/suffix.html"),
+		matchTestInfo("/suffix/:id/name", "/suffix/1234/name.html", map[string]string{":id": "1234", ":ext": "html"}),
 	}
 }