X-Git-Url: http://git.cielonegro.org/gitweb.cgi?a=blobdiff_plain;f=Network%2FHTTP%2FLucu%2FStaticFile.hs;h=7937af9b6fee02996136d7335664f921af0c6932;hb=32cb47e903c5fb1d35fe48dfa8e975464a3832e3;hp=e5443409d2f65b0e1639622aae1d334eceff96db;hpb=453cecf83e146e1ec23545fb371f7b91ab6adea7;p=Lucu.git

diff --git a/Network/HTTP/Lucu/StaticFile.hs b/Network/HTTP/Lucu/StaticFile.hs
index e544340..7937af9 100644
--- a/Network/HTTP/Lucu/StaticFile.hs
+++ b/Network/HTTP/Lucu/StaticFile.hs
@@ -94,6 +94,12 @@ staticDir path
 handleStaticDir :: FilePath -> Resource ()
 handleStaticDir basePath
     = do extraPath <- getPathInfo
+         securityCheck extraPath
          let path = basePath ++ "/" ++ joinWith "/" extraPath
 
          handleStaticFile path
+    where
+      securityCheck :: Monad m => [String] -> m ()
+      securityCheck pathElems
+          = when (any (== "..") pathElems) $ fail ("security error: "
+                                                   ++ joinWith "/" pathElems)