diff --git a/server/clamav.go b/server/clamav.go index 49d96a2..e3d18da 100644 --- a/server/clamav.go +++ b/server/clamav.go @@ -32,19 +32,17 @@ import ( "io" "log" "net/http" - "path/filepath" "time" clamd "github.com/dutchcoders/go-clamd" "github.com/gorilla/mux" - "github.com/kennygrant/sanitize" ) func (s *Server) scanHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - filename := sanitize.Path(filepath.Base(vars["filename"])) + filename := sanitize(vars["filename"]) contentLength := r.ContentLength contentType := r.Header.Get("Content-Type") diff --git a/server/handlers.go b/server/handlers.go index d1f7cd5..54c62dc 100644 --- a/server/handlers.go +++ b/server/handlers.go @@ -55,7 +55,6 @@ import ( web "github.com/dutchcoders/transfer.sh-web" "github.com/gorilla/mux" - "github.com/kennygrant/sanitize" "github.com/russross/blackfriday" ) @@ -190,6 +189,10 @@ func (s *Server) notFoundHandler(w http.ResponseWriter, r *http.Request) { http.Error(w, http.StatusText(404), 404) } +func sanitize(fileName string) string { + return path.Clean(path.Base(fileName)) +} + func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) { if err := r.ParseMultipartForm(_24K); nil != err { log.Printf("%s", err.Error()) @@ -203,7 +206,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) { for _, fheaders := range r.MultipartForm.File { for _, fheader := range fheaders { - filename := sanitize.Path(filepath.Base(fheader.Filename)) + filename := sanitize(fheader.Filename) contentType := fheader.Header.Get("Content-Type") if contentType == "" { @@ -271,7 +274,7 @@ func (s *Server) postHandler(w http.ResponseWriter, r *http.Request) { func (s *Server) putHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - filename := sanitize.Path(filepath.Base(vars["filename"])) + filename := sanitize(vars["filename"]) contentLength := r.ContentLength @@ -395,7 +398,7 @@ func (s *Server) zipHandler(w http.ResponseWriter, r *http.Request) { key = strings.Replace(key, "\\", "/", -1) token := strings.Split(key, "/")[0] - filename := sanitize.Path(strings.Split(key, "/")[1]) + filename := sanitize(strings.Split(key, "/")[1]) reader, _, _, err := s.storage.Get(token, filename) @@ -466,7 +469,7 @@ func (s *Server) tarGzHandler(w http.ResponseWriter, r *http.Request) { key = strings.Replace(key, "\\", "/", -1) token := strings.Split(key, "/")[0] - filename := sanitize.Path(strings.Split(key, "/")[1]) + filename := sanitize(strings.Split(key, "/")[1]) reader, _, contentLength, err := s.storage.Get(token, filename) if err != nil { diff --git a/server/virustotal.go b/server/virustotal.go index b483d0d..61c81d2 100644 --- a/server/virustotal.go +++ b/server/virustotal.go @@ -29,18 +29,17 @@ import ( "io" "log" "net/http" - "path/filepath" _ "github.com/PuerkitoBio/ghost/handlers" - "github.com/dutchcoders/go-virustotal" "github.com/gorilla/mux" - "github.com/kennygrant/sanitize" + + virustotal "github.com/dutchcoders/go-virustotal" ) func (s *Server) virusTotalHandler(w http.ResponseWriter, r *http.Request) { vars := mux.Vars(r) - filename := sanitize.Path(filepath.Base(vars["filename"])) + filename := sanitize(vars["filename"]) contentLength := r.ContentLength contentType := r.Header.Get("Content-Type")