diff options
| author | Valery Piashchynski <[email protected]> | 2021-05-13 19:59:12 +0300 |
|---|---|---|
| committer | Valery Piashchynski <[email protected]> | 2021-05-13 19:59:12 +0300 |
| commit | 21f650ffed39e2304643f967a5b425bf8c2929a7 (patch) | |
| tree | 0306be86bb5749a6877f28221c5f4329a92e376d | |
| parent | c7f900a7f02ea207392ee8126e141b2388ea44ca (diff) | |
- Update serve logic. Check in the forbidden and allowed before opening
a file
Signed-off-by: Valery Piashchynski <[email protected]>
| -rw-r--r-- | plugins/static/plugin.go | 41 |
1 files changed, 20 insertions, 21 deletions
diff --git a/plugins/static/plugin.go b/plugins/static/plugin.go index f2d8ee3f..f6d9a0f2 100644 --- a/plugins/static/plugin.go +++ b/plugins/static/plugin.go @@ -128,6 +128,18 @@ func (s *Plugin) Middleware(next http.Handler) http.Handler { return } + // if we have some allowed extensions, we should check them + // if not - all extensions allowed except forbidden + if len(s.allowedExtensions) > 0 { + // not found in allowed + if _, ok := s.allowedExtensions[ext]; !ok { + next.ServeHTTP(w, r) + return + } + + // file extension allowed + } + // ok, file is not in the forbidden list // Stat it and get file info f, err := s.root.Open(fPath) @@ -150,6 +162,13 @@ func (s *Plugin) Middleware(next http.Handler) http.Handler { return } + defer func() { + err = f.Close() + if err != nil { + s.log.Error("file close error", "error", err) + } + }() + // if provided path to the dir, do not serve the dir, but pass the request to the worker if finfo.IsDir() { s.log.Debug("possible path to dir provided") @@ -163,27 +182,7 @@ func (s *Plugin) Middleware(next http.Handler) http.Handler { SetEtag(s.cfg.Static.Weak, f, finfo.Name(), w) } - defer func() { - err = f.Close() - if err != nil { - s.log.Error("file close error", "error", err) - } - }() - - // here we know, that file extension is not in the AlwaysServe and file exists - // (or by some reason, there is no error from the http.Open method) - - // if we have some allowed extensions, we should check them - if len(s.allowedExtensions) > 0 { - if _, ok := s.allowedExtensions[ext]; ok { - http.ServeContent(w, r, finfo.Name(), finfo.ModTime(), f) - } - - // file not in the allowed file extensions - return - } - - // otherwise we guess, that all file extensions are allowed + // we passed all checks - serve the file http.ServeContent(w, r, finfo.Name(), finfo.ModTime(), f) }) } |