]> gitweb @ CieloNegro.org - Lucu.git/blobdiff - Network/HTTP/Lucu/StaticFile.hs
projects / Lucu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
SecurityCheck
[Lucu.git] / Network / HTTP / Lucu / StaticFile.hs
diff --git a/Network/HTTP/Lucu/StaticFile.hs b/Network/HTTP/Lucu/StaticFile.hs
index e5443409d2f65b0e1639622aae1d334eceff96db..7937af9b6fee02996136d7335664f921af0c6932 100644 (file)
--- a/Network/HTTP/Lucu/StaticFile.hs
+++ b/Network/HTTP/Lucu/StaticFile.hs
@@ -94,6 +94,12 @@ staticDir path
 handleStaticDir :: FilePath -> Resource ()
 handleStaticDir basePath
     = do extraPath <- getPathInfo
+         securityCheck extraPath
          let path = basePath ++ "/" ++ joinWith "/" extraPath
 
          handleStaticFile path
+    where
+      securityCheck :: Monad m => [String] -> m ()
+      securityCheck pathElems
+          = when (any (== "..") pathElems) $ fail ("security error: "
+                                                   ++ joinWith "/" pathElems)
Embedded HTTP Server