From 53df153a70b68c586f4f2b0a68693f4990a56a98 Mon Sep 17 00:00:00 2001
From: Laurynas Gadliauskas <laurynas.gadliauskas@hostinger.com>
Date: Wed, 9 Jun 2021 12:44:51 +0300
Subject: [PATCH] fix: check absolute symlinks

---
 http/resource.go | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/http/resource.go b/http/resource.go
index ff39194f..3f334100 100644
--- a/http/resource.go
+++ b/http/resource.go
@@ -65,7 +65,12 @@ var resourceGetHandler = withUser(func(w http.ResponseWriter, r *http.Request, d
 
 			// remove symlinks that link outside base path
 			if fi.IsSymlink {
-				fullLinkTarget := filepath.Join(d.user.FullPath(file.Path), fi.Link)
+				var fullLinkTarget string
+				if filepath.IsAbs(fi.Link) {
+					fullLinkTarget = fi.Link
+				} else {
+					fullLinkTarget = filepath.Join(d.user.FullPath(file.Path), fi.Link)
+				}
 				scopedLinkTarget := d.user.FullPath(filepath.Join(file.Path, fi.Link))
 				if fullLinkTarget != scopedLinkTarget {
 					return false
@@ -337,7 +342,12 @@ func checkOutOfScopeSymlink(d *data, target string) error {
 		symlink, err := lsf.ReadlinkIfPossible(evalPath)
 		if err == nil {
 			parentDir := filepath.Dir(evalPath)
-			fullLinkTarget := filepath.Join(d.user.FullPath(parentDir), symlink)
+			var fullLinkTarget string
+			if filepath.IsAbs(symlink) {
+				fullLinkTarget = symlink
+			} else {
+				fullLinkTarget = filepath.Join(d.user.FullPath(parentDir), symlink)
+			}
 			scopedLinkTarget := d.user.FullPath(filepath.Join(parentDir, symlink))
 			if fullLinkTarget != scopedLinkTarget {
 				return errors.ErrNotExist