From 16a484a14220604cfbbe5d2793de77d91b40c6ee Mon Sep 17 00:00:00 2001 From: cangui Date: Fri, 20 Jun 2025 18:20:39 +0200 Subject: [PATCH] up --- renders/renders.go | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/renders/renders.go b/renders/renders.go index f941a3c..4f8fd18 100644 --- a/renders/renders.go +++ b/renders/renders.go @@ -661,21 +661,27 @@ func StreamHandler(w http.ResponseWriter, r *http.Request) { renderTemplate(w, "folders", data) } func DetailHandler(w http.ResponseWriter, r *http.Request) { - base := "/app/uploads" - rel := r.URL.Query().Get("path") + base := "/app/uploads" + rel := r.URL.Query().Get("path") - // Nettoyage : retirer un éventuel slash au début - rel = strings.TrimPrefix(rel, "/") + // On sécurise : supprime les éventuels chemins relatifs + rel = filepath.Clean("/" + rel) // ça supprime .. etc. + rel = strings.TrimPrefix(rel, "/") - absPath := filepath.Join(base, rel) - fmt.Println("PATH demandé:", rel) - fmt.Println("Chemin complet:", filepath.Join(base, rel)) + absPath := filepath.Join(base, rel) + + info, err := os.Stat(absPath) + if err != nil { + http.NotFound(w, r) + return + } + + // Protection : vérifier qu'on reste bien dans base + if !strings.HasPrefix(absPath, base) { + http.NotFound(w, r) + return + } - info, err := os.Stat(absPath) - if err != nil { - http.NotFound(w, r) - return - } entry := Entry{ Name: info.Name(), Path: rel, @@ -683,7 +689,7 @@ func DetailHandler(w http.ResponseWriter, r *http.Request) { ModTime: info.ModTime(), Size: info.Size(), } - // Toujours partial HTMX + renderPartial(w, "_file_detail", map[string]interface{}{ "Entry": entry, }) @@ -694,6 +700,7 @@ func DetailHandler(w http.ResponseWriter, r *http.Request) { + func renderPartial(w http.ResponseWriter, templ string, data map[string]interface{}) { // Exécute directement le define `.pages.tmpl` if err := templates.ExecuteTemplate(w, templ+".pages.tmpl", data); err != nil {