fix issue 4946 (#4954)

* Update tree.go

fix issue 4946 CVE-2022-31259
This commit is contained in:
runner361 2022-05-23 18:15:13 +08:00 committed by GitHub
parent daf779ffca
commit 64cf44d725
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 2 deletions

View File

@ -8,6 +8,7 @@
- [Support lifecycle callback](https://github.com/beego/beego/pull/4918)
- [Append column comments to create table sentence when using postgres](https://github.com/beego/beego/pull/4940)
- [logs: multiFileLogWriter uses incorrect formatter](https://github.com/beego/beego/pull/4943)
- [fix issue 4946 CVE-2022-31259](https://github.com/beego/beego/pull/4954)
# v2.0.2
See v2.0.2-beta.1

View File

@ -341,9 +341,9 @@ func (t *Tree) match(treePattern string, pattern string, wildcardValues []string
if runObject == nil && len(t.fixrouters) > 0 {
// Filter the .json .xml .html extension
for _, str := range allowSuffixExt {
if strings.HasSuffix(seg, str) && strings.HasSuffix(treePattern, seg) {
// pattern == "" avoid cases: /aaa.html/aaa.html could access /aaa/:bbb
if strings.HasSuffix(seg, str) && pattern == "" {
for _, subTree := range t.fixrouters {
// strings.HasSuffix(treePattern, seg) avoid cases: /aaa.html/bbb could access /aaa/bbb
if subTree.prefix == seg[:len(seg)-len(str)] {
runObject = subTree.match(treePattern, pattern, wildcardValues, ctx)
if runObject != nil {

View File

@ -122,6 +122,9 @@ func init() {
notMatchTestInfo(abcSuffix, "/abc/suffix.html/a"),
matchTestInfo(abcSuffix, "/abc/suffix/a", nil),
notMatchTestInfo(abcSuffix, "/abc.j/suffix/a"),
// test for fix of issue 4946
notMatchTestInfo("/suffix/:name", "/suffix.html/suffix.html"),
matchTestInfo("/suffix/:id/name", "/suffix/1234/name.html", map[string]string{":id": "1234", ":ext": "html"}),
}
}