diff options
| author | Yasuhiro Matsumoto <mattn.jp@gmail.com> | 2022-04-22 10:07:51 +0900 |
|---|---|---|
| committer | Dmitri Shuralyov <dmitshur@golang.org> | 2022-05-31 17:30:12 +0000 |
| commit | 4c69fd51a9ed70da0a6399d0b084b828bc30d562 (patch) | |
| tree | aa54f6a3c29412a401cb050f588b8fe120ebff46 /src/path/filepath/path.go | |
| parent | 909881db03b7aca794c791e4c6e893c9a4638521 (diff) | |
| download | go-4c69fd51a9ed70da0a6399d0b084b828bc30d562.tar.gz go-4c69fd51a9ed70da0a6399d0b084b828bc30d562.zip | |
[release-branch.go1.17] path/filepath: do not remove prefix "." when following path contains ":".
For #52476
Fixes #52478
Fixes CVE-2022-29804
Change-Id: I9eb72ac7dbccd6322d060291f31831dc389eb9bb
Reviewed-on: https://go-review.googlesource.com/c/go/+/401595
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/405235
Reviewed-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Diffstat (limited to 'src/path/filepath/path.go')
| -rw-r--r-- | src/path/filepath/path.go | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/path/filepath/path.go b/src/path/filepath/path.go index b56534dead..8300a32cb1 100644 --- a/src/path/filepath/path.go +++ b/src/path/filepath/path.go @@ -117,9 +117,21 @@ func Clean(path string) string { case os.IsPathSeparator(path[r]): // empty path element r++ - case path[r] == '.' && (r+1 == n || os.IsPathSeparator(path[r+1])): + case path[r] == '.' && r+1 == n: // . element r++ + case path[r] == '.' && os.IsPathSeparator(path[r+1]): + // ./ element + r++ + + for r < len(path) && os.IsPathSeparator(path[r]) { + r++ + } + if out.w == 0 && volumeNameLen(path[r:]) > 0 { + // When joining prefix "." and an absolute path on Windows, + // the prefix should not be removed. + out.append('.') + } case path[r] == '.' && path[r+1] == '.' && (r+2 == n || os.IsPathSeparator(path[r+2])): // .. element: remove to last separator r += 2 |