From 1a0db29aa69688de3d4d451142b28bb15443c876 Mon Sep 17 00:00:00 2001
From: hcl <i@hcl.moe>
Date: Mon, 25 Jan 2021 23:37:54 +0800
Subject: [PATCH] prevent route leak

---
 server/server.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/server.go b/server/server.go
index dc855cb..77336c7 100644
--- a/server/server.go
+++ b/server/server.go
@@ -69,6 +69,10 @@ func unsafeMethod(method string) bool {
 func (h Handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	reqPath := req.URL.Path
 	if BasePath != "" {
+		if !strings.HasPrefix(reqPath, BasePath) {
+			rw.WriteHeader(http.StatusNotFound)
+			return
+		}
 		reqPath = strings.TrimPrefix(req.URL.Path, BasePath)
 		if reqPath == "" {
 			http.Redirect(rw, req, BasePath+"/", http.StatusFound)