Fix Malformed dir traversal (#331)

BennyThink · n0vad3v · web-flow · commit be323289982d · 2024-04-23T13:15:40.000+08:00
* Directory traversal with malformed HTTP request #330 * bump version * also %2e * Use prefix to check invalid Path --------- Co-authored-by: n0vad3v <n0vad3v@riseup.net>
diff --git a/config/config.go b/config/config.go
@@ -50,7 +50,7 @@ var (
 	ProxyMode      bool
 	Prefetch       bool
 	Config         = NewWebPConfig()
-	Version        = "0.11.2"
+	Version        = "0.11.3"
 	WriteLock      = cache.New(5*time.Minute, 10*time.Minute)
 	ConvertLock    = cache.New(5*time.Minute, 10*time.Minute)
 	RemoteRaw      = "./remote-raw"
diff --git a/handler/router.go b/handler/router.go
@@ -22,6 +22,12 @@ func Convert(c *fiber.Ctx) error {
 	// 2. generate rawImagePath, could be local path or remote url(possible with query string)
 	// 3. pass it to encoder, get the result, send it back
 
+	// normal http request will start with /
+	if !strings.HasPrefix(c.Path(), "/") {
+		_ = c.SendStatus(http.StatusBadRequest)
+		return nil
+	}
+
 	var (
 		reqHostname = c.Hostname()
 		reqHost     = c.Protocol() + "://" + reqHostname // http://www.example.com:8000
