From bcea5ff43869296ade7b8eece91da371f9675771 Mon Sep 17 00:00:00 2001
From: Lia Lenckowski <lialenck@protonmail.com>
Date: Wed, 4 Oct 2023 12:59:07 +0200
Subject: path resolution (hopefully without path traversal!)

Signed-off-by: metamuffin <metamuffin@disroot.org>
---
 src/files.rs | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

(limited to 'src/files.rs')

diff --git a/src/files.rs b/src/files.rs
index 2ba9a9f..68a3807 100644
--- a/src/files.rs
+++ b/src/files.rs
@@ -27,12 +27,24 @@ pub async fn serve_files(
     let rpath = req.uri().path();
 
     let mut path = config.root.clone();
+    let mut user_path_depth = 0;
     for seg in rpath.split("/") {
         let seg = percent_decode_str(seg).decode_utf8()?;
-        if seg == "" || seg == ".." {
-            continue; // not ideal
+
+        if seg == "" || seg == "." {
+            continue;
+        }
+
+        if seg == ".." {
+            if user_path_depth <= 0 {
+                return Err(ServiceError::BadPath);
+            }
+            path.pop();
+            user_path_depth -= 1;
+        } else {
+            path.push(seg.as_ref());
+            user_path_depth += 1;
         }
-        path.push(seg.as_ref())
     }
     if !path.exists() {
         return Err(ServiceError::NotFound);
-- 
cgit v1.2.3-70-g09d2