webmcp
diff framework/env/request/default_router.lua @ 347:169dfbd0246a
Prohibit public access to listing of subdirectories in static/ (on BSD systems)
| author | jbe |
|---|---|
| date | Thu Mar 26 03:00:04 2015 +0100 (2015-03-26) |
| parents | db79324a13fe |
| children | 545ec2e3eafa |
line diff
1.1 --- a/framework/env/request/default_router.lua Thu Mar 26 02:58:36 2015 +0100 1.2 +++ b/framework/env/request/default_router.lua Thu Mar 26 03:00:04 2015 +0100 1.3 @@ -15,21 +15,18 @@ 1.4 if path == "" then 1.5 return {module = "index", view = "index"} 1.6 end 1.7 - local static = string.match(path, "^static/([-./0-9A-Z_a-z]+)$") 1.8 + local static = string.match(path, "^static/([-./0-9A-Z_a-z]*)$") 1.9 if static then 1.10 - if 1.11 - string.match(static, "^/") or 1.12 - string.match(static, "//") or 1.13 - string.match(static, "/$") or 1.14 - string.match(static, "^%.%.?$") or 1.15 - string.match(static, "/%.%.?$") or 1.16 - string.match(static, "^%.%.?/") or 1.17 - string.match(static, "/%.%.?/") -- TODO: improve 1.18 - then 1.19 + -- TODO: move sanitizer to request.handler(...) 1.20 + if string.match(static, "^/") or string.match(static, "//") then 1.21 return nil 1.22 - else 1.23 - return {static = static} 1.24 end 1.25 + for element in string.gmatch(static, "[^/]+") do 1.26 + if element == "." or element == ".." then 1.27 + return nil 1.28 + end 1.29 + end 1.30 + return {static = static} 1.31 end 1.32 local module, action, view, id, suffix 1.33 module = string.match(path, "^([^/]+)/$")