diff options
Diffstat (limited to 'src/files.rs')
| -rw-r--r-- | src/files.rs | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/src/files.rs b/src/files.rs index 2ba9a9f..68a3807 100644 --- a/src/files.rs +++ b/src/files.rs @@ -27,12 +27,24 @@ pub async fn serve_files( let rpath = req.uri().path(); let mut path = config.root.clone(); + let mut user_path_depth = 0; for seg in rpath.split("/") { let seg = percent_decode_str(seg).decode_utf8()?; - if seg == "" || seg == ".." { - continue; // not ideal + + if seg == "" || seg == "." { + continue; + } + + if seg == ".." { + if user_path_depth <= 0 { + return Err(ServiceError::BadPath); + } + path.pop(); + user_path_depth -= 1; + } else { + path.push(seg.as_ref()); + user_path_depth += 1; } - path.push(seg.as_ref()) } if !path.exists() { return Err(ServiceError::NotFound); |