SecurityCheck

author pho <pho@cielonegro.org>

Sat, 14 Apr 2007 06:23:32 +0000 (15:23 +0900)

committer pho <pho@cielonegro.org>

Sat, 14 Apr 2007 06:23:32 +0000 (15:23 +0900)
author pho <pho@cielonegro.org>
Sat, 14 Apr 2007 06:23:32 +0000 (15:23 +0900)
committer pho <pho@cielonegro.org>
Sat, 14 Apr 2007 06:23:32 +0000 (15:23 +0900)
diff --git a/Makefile b/Makefile

index bbd831f5a1da11896879449dcacae8955c3115eb..bf7f8818de645a883e53b7e55fb0b223ae0fa20f 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,6 @@ build: .setup-config Setup
  
  run: build
         @echo ".:.:. Let's go .:.:."
-       $(WHAT_TO_RUN)
         $(MAKE) -C examples run
  
  .setup-config: $(CABAL_FILE) Setup
@@ -20,7 +19,7 @@ clean:
         find . -name '*~' -exec rm -f {} \;
         $(MAKE) -C examples clean
  
-doc:
+doc: .setup-config Setup
         ./Setup haddock
  
  install: build
diff --git a/Network/HTTP/Lucu/StaticFile.hs b/Network/HTTP/Lucu/StaticFile.hs

index e5443409d2f65b0e1639622aae1d334eceff96db..7937af9b6fee02996136d7335664f921af0c6932 100644 (file)
--- a/Network/HTTP/Lucu/StaticFile.hs
+++ b/Network/HTTP/Lucu/StaticFile.hs
@@ -94,6 +94,12 @@ staticDir path
  handleStaticDir :: FilePath -> Resource ()
  handleStaticDir basePath
      = do extraPath <- getPathInfo
+         securityCheck extraPath
           let path = basePath ++ "/" ++ joinWith "/" extraPath
  
           handleStaticFile path
+    where
+      securityCheck :: Monad m => [String] -> m ()
+      securityCheck pathElems
+          = when (any (== "..") pathElems) $ fail ("security error: "
+                                                   ++ joinWith "/" pathElems)
author	pho <pho@cielonegro.org>
	Sat, 14 Apr 2007 06:23:32 +0000 (15:23 +0900)
committer	pho <pho@cielonegro.org>
	Sat, 14 Apr 2007 06:23:32 +0000 (15:23 +0900)
Makefile		patch \| blob \| history
Network/HTTP/Lucu/StaticFile.hs		patch \| blob \| history