Ban urls with .. segment

ije · ije · commit 492de92850dd · 2025-09-16T19:21:03.000+08:00
diff --git a/server/router.go b/server/router.go
@@ -72,7 +72,7 @@ func esmRouter(db Database, esmStorage storage.Storage, logger *log.Logger) rex.
 		pathname := ctx.R.URL.Path
 
 		// ban malicious requests
-		if strings.HasPrefix(pathname, "/.") || strings.HasSuffix(pathname, ".env") || strings.HasSuffix(pathname, ".php") {
+		if strings.HasSuffix(pathname, ".env") || strings.HasSuffix(pathname, ".php") || strings.Contains(pathname, "/.") {
 			return rex.Status(404, "not found")
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ func esmRouter(db Database, esmStorage storage.Storage, logger *log.Logger) rex.`
`72`	`72`	`pathname := ctx.R.URL.Path`
`73`	`73`
`74`	`74`	`// ban malicious requests`
`75`		`- if strings.HasPrefix(pathname, "/.") \|\| strings.HasSuffix(pathname, ".env") \|\| strings.HasSuffix(pathname, ".php") {`
	`75`	`+ if strings.HasSuffix(pathname, ".env") \|\| strings.HasSuffix(pathname, ".php") \|\| strings.Contains(pathname, "/.") {`
`76`	`76`	`return rex.Status(404, "not found")`
`77`	`77`	`}`
`78`	`78`