webmcp
changeset 347:169dfbd0246a
Prohibit public access to listing of subdirectories in static/ (on BSD systems)
author | jbe |
---|---|
date | Thu Mar 26 03:00:04 2015 +0100 (2015-03-26) |
parents | b5c8a6ed53d4 |
children | d2429d53a158 |
files | framework/env/request/default_router.lua framework/env/request/handler.lua |
line diff
1.1 --- a/framework/env/request/default_router.lua Thu Mar 26 02:58:36 2015 +0100 1.2 +++ b/framework/env/request/default_router.lua Thu Mar 26 03:00:04 2015 +0100 1.3 @@ -15,21 +15,18 @@ 1.4 if path == "" then 1.5 return {module = "index", view = "index"} 1.6 end 1.7 - local static = string.match(path, "^static/([-./0-9A-Z_a-z]+)$") 1.8 + local static = string.match(path, "^static/([-./0-9A-Z_a-z]*)$") 1.9 if static then 1.10 - if 1.11 - string.match(static, "^/") or 1.12 - string.match(static, "//") or 1.13 - string.match(static, "/$") or 1.14 - string.match(static, "^%.%.?$") or 1.15 - string.match(static, "/%.%.?$") or 1.16 - string.match(static, "^%.%.?/") or 1.17 - string.match(static, "/%.%.?/") -- TODO: improve 1.18 - then 1.19 + -- TODO: move sanitizer to request.handler(...) 1.20 + if string.match(static, "^/") or string.match(static, "//") then 1.21 return nil 1.22 - else 1.23 - return {static = static} 1.24 end 1.25 + for element in string.gmatch(static, "[^/]+") do 1.26 + if element == "." or element == ".." then 1.27 + return nil 1.28 + end 1.29 + end 1.30 + return {static = static} 1.31 end 1.32 local module, action, view, id, suffix 1.33 module = string.match(path, "^([^/]+)/$")
2.1 --- a/framework/env/request/handler.lua Thu Mar 26 02:58:36 2015 +0100 2.2 +++ b/framework/env/request/handler.lua Thu Mar 26 03:00:04 2015 +0100 2.3 @@ -18,7 +18,7 @@ 2.4 end 2.5 end 2.6 2.7 -function request.handler(http_request, close) 2.8 +function request.handler(http_request) 2.9 request._http_request = http_request 2.10 local path = http_request.path 2.11 if path then 2.12 @@ -56,7 +56,19 @@ 2.13 end 2.14 2.15 if request._route.static then 2.16 - local f, errmsg = io.open(WEBMCP_BASE_PATH .. "static/" .. request._route.static, "r") 2.17 + local filename = WEBMCP_BASE_PATH .. "static/" .. request._route.static 2.18 + -- TODO: move sanitizer from request.default_router(...) to request.handler(...) 2.19 + local fstat, f, errmsg 2.20 + fstat, errmsg = extos.stat(filename) 2.21 + if fstat then 2.22 + if fstat.isdir then 2.23 + errmsg = "Is a directory" 2.24 + elseif not fstat.isreg then 2.25 + errmsg = "Not a regular file" 2.26 + else 2.27 + f, errmsg = io.open(filename, "r") 2.28 + end 2.29 + end 2.30 if not f then 2.31 request.set_status("404 Not Found") 2.32 if request.get_404_route() then