webmcp
diff framework/env/request/handler.lua @ 347:169dfbd0246a
Prohibit public access to listing of subdirectories in static/ (on BSD systems)
| author | jbe |
|---|---|
| date | Thu Mar 26 03:00:04 2015 +0100 (2015-03-26) |
| parents | 3db9b672ee73 |
| children | 8cf6d927d074 |
line diff
1.1 --- a/framework/env/request/handler.lua Thu Mar 26 02:58:36 2015 +0100 1.2 +++ b/framework/env/request/handler.lua Thu Mar 26 03:00:04 2015 +0100 1.3 @@ -18,7 +18,7 @@ 1.4 end 1.5 end 1.6 1.7 -function request.handler(http_request, close) 1.8 +function request.handler(http_request) 1.9 request._http_request = http_request 1.10 local path = http_request.path 1.11 if path then 1.12 @@ -56,7 +56,19 @@ 1.13 end 1.14 1.15 if request._route.static then 1.16 - local f, errmsg = io.open(WEBMCP_BASE_PATH .. "static/" .. request._route.static, "r") 1.17 + local filename = WEBMCP_BASE_PATH .. "static/" .. request._route.static 1.18 + -- TODO: move sanitizer from request.default_router(...) to request.handler(...) 1.19 + local fstat, f, errmsg 1.20 + fstat, errmsg = extos.stat(filename) 1.21 + if fstat then 1.22 + if fstat.isdir then 1.23 + errmsg = "Is a directory" 1.24 + elseif not fstat.isreg then 1.25 + errmsg = "Not a regular file" 1.26 + else 1.27 + f, errmsg = io.open(filename, "r") 1.28 + end 1.29 + end 1.30 if not f then 1.31 request.set_status("404 Not Found") 1.32 if request.get_404_route() then