check local path boundary

cmd/proxy/main.go

@@ -160,6 +160,14 @@ func configFromFile(path string) (*Config, error) {
 		return nil, err
 	}
 
+	if config.Storage.Local != nil {
+		localPath, err := filepath.Abs(config.Storage.Local.Path)
+		if err != nil {
+			return nil, err
+		}
+		config.Storage.Local.Path = localPath
+	}
+
 	return config, nil
 }
 
@@ -170,6 +178,10 @@ func (server *Server) handleRequest(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
+	if !strings.HasPrefix(fullpath, server.Storage.Local.Path) {
+		http.Error(w, "crossing local directory boundary", http.StatusBadRequest)
+		return
+	}
 
 	ranged := r.Header.Get("Range") != ""