santtize paths in handle_request
This commit is contained in:
parent
a0efdca18b
commit
198fab6f2a
23
src/main.rs
23
src/main.rs
@ -219,13 +219,24 @@ fn handle_request(req: Request<Body>) -> BoxFut {
|
||||
let path = parts.uri.path();
|
||||
|
||||
// normalize path
|
||||
let components: Vec<&str> = path.split('/').filter(|x| !x.is_empty()).collect();
|
||||
// do not allow ".", "..", or hidden files ".XXXX"
|
||||
// also remove empty path components
|
||||
|
||||
let items = path.split('/');
|
||||
let mut path = String::new();
|
||||
let mut components = vec![];
|
||||
|
||||
for name in items {
|
||||
if name.is_empty() { continue; }
|
||||
if name.starts_with(".") {
|
||||
http_error_future!(BAD_REQUEST, "Path contains illegal components.\n");
|
||||
}
|
||||
path.push('/');
|
||||
path.push_str(name);
|
||||
components.push(name);
|
||||
}
|
||||
|
||||
let comp_len = components.len();
|
||||
let path = components.iter().fold(String::new(), |mut acc, chunk| {
|
||||
acc.push('/');
|
||||
acc.push_str(chunk);
|
||||
acc
|
||||
});
|
||||
|
||||
println!("REQUEST {} {}", method, path);
|
||||
println!("COMPO {:?}", components);
|
||||
|
Loading…
Reference in New Issue
Block a user