From: pho <pho@cielonegro.org>
Date: Sat, 14 Apr 2007 06:23:32 +0000 (+0900)
Subject: SecurityCheck
X-Git-Tag: RELEASE-0_2_1~55
X-Git-Url: http://git.cielonegro.org/gitweb.cgi?p=Lucu.git;a=commitdiff_plain;h=32cb47e903c5fb1d35fe48dfa8e975464a3832e3

SecurityCheck

darcs-hash:20070414062332-62b54-074f99da63796ade8dcd408e6b6e4c610fa35314.gz
---

diff --git a/Makefile b/Makefile
index bbd831f..bf7f881 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,6 @@ build: .setup-config Setup
 
 run: build
 	@echo ".:.:. Let's go .:.:."
-	$(WHAT_TO_RUN)
 	$(MAKE) -C examples run
 
 .setup-config: $(CABAL_FILE) Setup
@@ -20,7 +19,7 @@ clean:
 	find . -name '*~' -exec rm -f {} \;
 	$(MAKE) -C examples clean
 
-doc:
+doc: .setup-config Setup
 	./Setup haddock
 
 install: build
diff --git a/Network/HTTP/Lucu/StaticFile.hs b/Network/HTTP/Lucu/StaticFile.hs
index e544340..7937af9 100644
--- a/Network/HTTP/Lucu/StaticFile.hs
+++ b/Network/HTTP/Lucu/StaticFile.hs
@@ -94,6 +94,12 @@ staticDir path
 handleStaticDir :: FilePath -> Resource ()
 handleStaticDir basePath
     = do extraPath <- getPathInfo
+         securityCheck extraPath
          let path = basePath ++ "/" ++ joinWith "/" extraPath
 
          handleStaticFile path
+    where
+      securityCheck :: Monad m => [String] -> m ()
+      securityCheck pathElems
+          = when (any (== "..") pathElems) $ fail ("security error: "
+                                                   ++ joinWith "/" pathElems)