From 14f94e0cfc0bbcd3b93df27242de2bff948eb52b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=8D=92=E9=87=8E=E7=84=A1=E7=87=88?= <i@80x86.io>
Date: Sun, 23 Jun 2019 22:40:59 +0800
Subject: [PATCH] prevent maliciously constructed parameters like
 `/api/public/dl/XZzCDnK2_not_exists_hash_name` cause panic     this bug was
 introduced in https://github.com/filebrowser/filebrowser/pull/727

---
 http/public.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/http/public.go b/http/public.go
index ab44778c..ba2692b3 100644
--- a/http/public.go
+++ b/http/public.go
@@ -40,8 +40,15 @@ var withHashFile = func(fn handleFunc) handleFunc {
 	}
 }
 
+// ref to https://github.com/filebrowser/filebrowser/pull/727
+// `/api/public/dl/MEEuZK-v/file-name.txt` for old browsers to save file with correct name
 func ifPathWithName(r *http.Request) string {
 	pathElements := strings.Split(r.URL.Path, "/")
+	// prevent maliciously constructed parameters like `/api/public/dl/XZzCDnK2_not_exists_hash_name`
+	// len(pathElements) will be 1, and golang will panic `runtime error: index out of range`
+	if len(pathElements) < 2 {
+		return r.URL.Path
+	}
 	id := pathElements[len(pathElements)-2]
 	return id
 }