webmcp

changeset 347:169dfbd0246a

Prohibit public access to listing of subdirectories in static/ (on BSD systems)
author jbe
date Thu Mar 26 03:00:04 2015 +0100 (2015-03-26)
parents b5c8a6ed53d4
children d2429d53a158
files framework/env/request/default_router.lua framework/env/request/handler.lua
line diff
     1.1 --- a/framework/env/request/default_router.lua	Thu Mar 26 02:58:36 2015 +0100
     1.2 +++ b/framework/env/request/default_router.lua	Thu Mar 26 03:00:04 2015 +0100
     1.3 @@ -15,21 +15,18 @@
     1.4    if path == "" then
     1.5      return {module = "index", view = "index"}
     1.6    end
     1.7 -  local static = string.match(path, "^static/([-./0-9A-Z_a-z]+)$")
     1.8 +  local static = string.match(path, "^static/([-./0-9A-Z_a-z]*)$")
     1.9    if static then
    1.10 -    if
    1.11 -      string.match(static, "^/") or
    1.12 -      string.match(static, "//") or
    1.13 -      string.match(static, "/$") or
    1.14 -      string.match(static, "^%.%.?$") or
    1.15 -      string.match(static, "/%.%.?$") or
    1.16 -      string.match(static, "^%.%.?/") or
    1.17 -      string.match(static, "/%.%.?/")  -- TODO: improve
    1.18 -    then
    1.19 +    -- TODO: move sanitizer to request.handler(...)
    1.20 +    if string.match(static, "^/") or string.match(static, "//") then
    1.21        return nil
    1.22 -    else
    1.23 -      return {static = static}
    1.24      end
    1.25 +    for element in string.gmatch(static, "[^/]+") do
    1.26 +      if element == "." or element == ".." then
    1.27 +        return nil
    1.28 +      end
    1.29 +    end
    1.30 +    return {static = static}
    1.31    end
    1.32    local module, action, view, id, suffix
    1.33    module = string.match(path, "^([^/]+)/$")
     2.1 --- a/framework/env/request/handler.lua	Thu Mar 26 02:58:36 2015 +0100
     2.2 +++ b/framework/env/request/handler.lua	Thu Mar 26 03:00:04 2015 +0100
     2.3 @@ -18,7 +18,7 @@
     2.4    end
     2.5  end
     2.6  
     2.7 -function request.handler(http_request, close)
     2.8 +function request.handler(http_request)
     2.9    request._http_request = http_request
    2.10    local path = http_request.path
    2.11    if path then
    2.12 @@ -56,7 +56,19 @@
    2.13        end
    2.14  
    2.15        if request._route.static then
    2.16 -        local f, errmsg = io.open(WEBMCP_BASE_PATH .. "static/" .. request._route.static, "r")
    2.17 +        local filename = WEBMCP_BASE_PATH .. "static/" .. request._route.static
    2.18 +        -- TODO: move sanitizer from request.default_router(...) to request.handler(...)
    2.19 +        local fstat, f, errmsg
    2.20 +        fstat, errmsg = extos.stat(filename)
    2.21 +        if fstat then
    2.22 +          if fstat.isdir then
    2.23 +            errmsg = "Is a directory"
    2.24 +          elseif not fstat.isreg then
    2.25 +            errmsg = "Not a regular file"
    2.26 +          else
    2.27 +            f, errmsg = io.open(filename, "r")
    2.28 +          end
    2.29 +        end
    2.30          if not f then
    2.31            request.set_status("404 Not Found")
    2.32            if request.get_404_route() then

Impressum / About Us