Bug Fix: Directory Traversal

Author: little-cui

echo.go

@@ -53,6 +53,7 @@ import (
 	"path/filepath"
 	"reflect"
 	"runtime"
+	"strings"
 	"sync"
 	"time"
 
@@ -487,6 +488,11 @@ func (common) static(prefix, root string, get func(string, HandlerFunc, ...Middl
 		}
 
 		name := filepath.Join(root, path.Clean("/"+p)) // "/"+ for security
+		// Prevent directory traversal
+		const sep = string(filepath.Separator)
+		if !strings.HasPrefix(name+sep, path.Clean(root)+sep) {
+			return ErrForbidden
+		}
 		fi, err := os.Stat(name)
 		if err != nil {
 			// The access path does not exist