# HG changeset patch
# User jbe
# Date 1427335204 -3600
# Node ID 169dfbd0246a1f8fe2ba648a966f680c08d55c6f
# Parent  b5c8a6ed53d4d8aa5749cab057401a502aa60363
Prohibit public access to listing of subdirectories in static/ (on BSD systems)

diff -r b5c8a6ed53d4 -r 169dfbd0246a framework/env/request/default_router.lua
--- a/framework/env/request/default_router.lua	Thu Mar 26 02:58:36 2015 +0100
+++ b/framework/env/request/default_router.lua	Thu Mar 26 03:00:04 2015 +0100
@@ -15,21 +15,18 @@
   if path == "" then
     return {module = "index", view = "index"}
   end
-  local static = string.match(path, "^static/([-./0-9A-Z_a-z]+)$")
+  local static = string.match(path, "^static/([-./0-9A-Z_a-z]*)$")
   if static then
-    if
-      string.match(static, "^/") or
-      string.match(static, "//") or
-      string.match(static, "/$") or
-      string.match(static, "^%.%.?$") or
-      string.match(static, "/%.%.?$") or
-      string.match(static, "^%.%.?/") or
-      string.match(static, "/%.%.?/")  -- TODO: improve
-    then
+    -- TODO: move sanitizer to request.handler(...)
+    if string.match(static, "^/") or string.match(static, "//") then
       return nil
-    else
-      return {static = static}
     end
+    for element in string.gmatch(static, "[^/]+") do
+      if element == "." or element == ".." then
+        return nil
+      end
+    end
+    return {static = static}
   end
   local module, action, view, id, suffix
   module = string.match(path, "^([^/]+)/$")
diff -r b5c8a6ed53d4 -r 169dfbd0246a framework/env/request/handler.lua
--- a/framework/env/request/handler.lua	Thu Mar 26 02:58:36 2015 +0100
+++ b/framework/env/request/handler.lua	Thu Mar 26 03:00:04 2015 +0100
@@ -18,7 +18,7 @@
   end
 end
 
-function request.handler(http_request, close)
+function request.handler(http_request)
   request._http_request = http_request
   local path = http_request.path
   if path then
@@ -56,7 +56,19 @@
       end
 
       if request._route.static then
-        local f, errmsg = io.open(WEBMCP_BASE_PATH .. "static/" .. request._route.static, "r")
+        local filename = WEBMCP_BASE_PATH .. "static/" .. request._route.static
+        -- TODO: move sanitizer from request.default_router(...) to request.handler(...)
+        local fstat, f, errmsg
+        fstat, errmsg = extos.stat(filename)
+        if fstat then
+          if fstat.isdir then
+            errmsg = "Is a directory"
+          elseif not fstat.isreg then
+            errmsg = "Not a regular file"
+          else
+            f, errmsg = io.open(filename, "r")
+          end
+        end
         if not f then
           request.set_status("404 Not Found")
           if request.get_404_route() then