diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/error.rs | 2 | ||||
| -rw-r--r-- | src/files.rs | 18 |
2 files changed, 17 insertions, 3 deletions
diff --git a/src/error.rs b/src/error.rs index 59f4443..83a1ffa 100644 --- a/src/error.rs +++ b/src/error.rs @@ -18,6 +18,8 @@ pub enum ServiceError { BadRange, #[error("bad utf8")] BadUtf8(#[from] std::str::Utf8Error), + #[error("bad path")] + BadPath, #[error("ohh. i didn't expect that this error can be generated.")] Other, } diff --git a/src/files.rs b/src/files.rs index 2ba9a9f..68a3807 100644 --- a/src/files.rs +++ b/src/files.rs @@ -27,12 +27,24 @@ pub async fn serve_files( let rpath = req.uri().path(); let mut path = config.root.clone(); + let mut user_path_depth = 0; for seg in rpath.split("/") { let seg = percent_decode_str(seg).decode_utf8()?; - if seg == "" || seg == ".." { - continue; // not ideal + + if seg == "" || seg == "." { + continue; + } + + if seg == ".." { + if user_path_depth <= 0 { + return Err(ServiceError::BadPath); + } + path.pop(); + user_path_depth -= 1; + } else { + path.push(seg.as_ref()); + user_path_depth += 1; } - path.push(seg.as_ref()) } if !path.exists() { return Err(ServiceError::NotFound); |