diff options
| author | Lia Lenckowski <lialenck@protonmail.com> | 2023-10-04 12:59:07 +0200 |
|---|---|---|
| committer | metamuffin <metamuffin@disroot.org> | 2023-10-04 14:26:52 +0200 |
| commit | bcea5ff43869296ade7b8eece91da371f9675771 (patch) | |
| tree | ddaba8184e2b596653985110e95d50d157d2e4a8 | |
| parent | 03ede96a06262aa1fa647f4d26a1a517c33c2103 (diff) | |
| download | gnix-bcea5ff43869296ade7b8eece91da371f9675771.tar gnix-bcea5ff43869296ade7b8eece91da371f9675771.tar.bz2 gnix-bcea5ff43869296ade7b8eece91da371f9675771.tar.zst | |
path resolution (hopefully without path traversal!)
Signed-off-by: metamuffin <metamuffin@disroot.org>
| -rw-r--r-- | src/error.rs | 2 | ||||
| -rw-r--r-- | src/files.rs | 18 |
2 files changed, 17 insertions, 3 deletions
diff --git a/src/error.rs b/src/error.rs index 59f4443..83a1ffa 100644 --- a/src/error.rs +++ b/src/error.rs @@ -18,6 +18,8 @@ pub enum ServiceError { BadRange, #[error("bad utf8")] BadUtf8(#[from] std::str::Utf8Error), + #[error("bad path")] + BadPath, #[error("ohh. i didn't expect that this error can be generated.")] Other, } diff --git a/src/files.rs b/src/files.rs index 2ba9a9f..68a3807 100644 --- a/src/files.rs +++ b/src/files.rs @@ -27,12 +27,24 @@ pub async fn serve_files( let rpath = req.uri().path(); let mut path = config.root.clone(); + let mut user_path_depth = 0; for seg in rpath.split("/") { let seg = percent_decode_str(seg).decode_utf8()?; - if seg == "" || seg == ".." { - continue; // not ideal + + if seg == "" || seg == "." { + continue; + } + + if seg == ".." { + if user_path_depth <= 0 { + return Err(ServiceError::BadPath); + } + path.pop(); + user_path_depth -= 1; + } else { + path.push(seg.as_ref()); + user_path_depth += 1; } - path.push(seg.as_ref()) } if !path.exists() { return Err(ServiceError::NotFound); |