history-museum/clash
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: potential vulnerability in http provider (#2680)

Browse Source
This commit is contained in:
M4rtin Hsu
2023-04-16 20:14:36 +08:00
committed by GitHub
parent 8e05fbfd6d
commit df61a586c9
2 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
adapter/provider/parser.go
View File

@ -10,7 +10,10 @@ import (
types "github.com/Dreamacro/clash/constant/provider"
)
var errVehicleType = errors.New("unsupport vehicle type")
var (
errVehicleType = errors.New("unsupport vehicle type")
errSubPath = errors.New("path is not subpath of home directory")
)
type healthCheckSchema struct {
Enable bool `provider:"enable"`
@ -53,6 +56,9 @@ func ParseProxyProvider(name string, mapping map[string]any) (types.ProxyProvide
case "file":
vehicle = NewFileVehicle(path)
case "http":
if !C.Path.IsSubPath(path) {
return nil, fmt.Errorf("%w: %s", errSubPath, path)
}
vehicle = NewHTTPVehicle(schema.URL, path)
default:
return nil, fmt.Errorf("%w: %s", errVehicleType, schema.Type)