From 73a2adc05557ef919bf83b530fdefdcc26c7985a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Fri, 16 Oct 2020 21:23:13 +0200 Subject: [PATCH] Do not allow \ or @ in URL --- web/handler.go | 6 ++++++ web/web.go | 4 ---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/web/handler.go b/web/handler.go index b7c55b0..d9cc4fa 100644 --- a/web/handler.go +++ b/web/handler.go @@ -8,6 +8,7 @@ import ( "log" "net" "net/http" + "regexp" "strings" "github.com/markbates/pkger" @@ -17,6 +18,11 @@ import ( "gitlab.crans.org/nounous/ghostream/stream/webrtc" ) +var ( + // Precompile regex + validPath = regexp.MustCompile("^/[a-z0-9_-]*$") +) + // Handle WebRTC session description exchange via POST func viewerPostHandler(w http.ResponseWriter, r *http.Request) { // Limit response body to 128KB diff --git a/web/web.go b/web/web.go index 2ef30a2..929053b 100644 --- a/web/web.go +++ b/web/web.go @@ -7,7 +7,6 @@ import ( "log" "net/http" "os" - "regexp" "strings" "github.com/markbates/pkger" @@ -42,9 +41,6 @@ var ( // Preload templates templates *template.Template - - // Precompile regex - validPath = regexp.MustCompile("^/[a-z0-9@_\\-]*/?$") ) // Load templates with pkger