From c6541da6b1af6864055e1de7fae7d0c377cb834f Mon Sep 17 00:00:00 2001
From: little-cui <sure_0757@qq.com>
Date: Sun, 13 Dec 2020 21:49:11 +0800
Subject: [PATCH] Bug Fix: Directory Traversal

---
 echo.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/echo.go b/echo.go
index 381604180..a514bfa33 100644
--- a/echo.go
+++ b/echo.go
@@ -53,6 +53,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"runtime"
+	"strings"
 	"sync"
 	"time"
 
@@ -487,6 +488,10 @@ func (common) static(prefix, root string, get func(string, HandlerFunc, ...Middl
 		}
 
 		name := filepath.Join(root, path.Clean("/"+p)) // "/"+ for security
+		// Prevent directory traversal
+		if !strings.HasPrefix(name+string(filepath.Separator), path.Clean(root)+string(filepath.Separator)) {
+			return ErrForbidden
+		}
 		fi, err := os.Stat(name)
 		if err != nil {
 			// The access path does not exist