Validation in gowiki

<p><a href="https://golang.org/doc/articles/wiki/#tmp_11">https://golang.org/doc/articles/wiki/#tmp_11</a></p> <p>It says that &#34;a user can supply an arbitrary path to be read/written on the server.&#34; How? could someone provide a quick url that provides an arbitrary path? </p> <p>You can&#39;t leave the current directory as far as I can tell because <code>..</code> will go to a different handler. e.g. <code>localhost:8080/edit/../hi</code> won&#39;t work, it becomes <code>localhost:8080/hi</code>. I tried the encoded versions <code>%2e</code> and that doesn&#39;t work either. It just results in a different path for the url.</p> <p>how would I really exploit this as a security vulnerability?</p> <hr/>**评论：**<br/><br/>gohacker: <pre><p>On windows you can use <code>\</code> (%5c). On unixes you probably cannot exploit it because of <a href="https://github.com/golang/go/blob/af15beeab5ff9cde411c3db086ca9a24ace4c898/src/net/http/server.go#L1821-L1836" rel="nofollow">cleanPath</a> func.</p></pre>nhooyr: <pre><p>interesting. thanks!</p></pre>