@@ -54,6 +54,12 @@ #(.startsWith (.toLowerCase (.getName %)) "index.") (.listFiles dir)))) +(defn safe-path? + "Is a filepath safe for a particular root?" + [root path] + (.startsWith (.getCanonicalPath (File. root path)) + (.getCanonicalPath (File. root)))) + (defn serve-file "Attempts to serve up a static file from a directory, which defaults to './public'. Nil is returned if the file does not exist. If the file is a @@ -62,8 +68,9 @@ (serve-file "public" path)) ([root path] (let [filepath (File. root path)] - (cond - (.isFile filepath) - filepath - (.isDirectory filepath) - (find-index-file filepath))))) + (if (safe-path? root path) + (cond + (.isFile filepath) + filepath + (.isDirectory filepath) + (find-index-file filepath)))))) src/compojure/http/helpers.clj @@ -15,3 +15,7 @@ (deftest test-content-type (is (= (content-type "text/html") {:headers {"Content-Type" "text/html"}}))) + +(deftest test-safe-path + (is (not (safe-path? "/home/compojure" "../private/secret.txt"))) + (is (safe-path? "/home/compojure" "public/index.html"))) test/compojure/http/helpers.clj fda98248260d7d6285c0262da9ac6bfd48620254 weavejester jreeves@weavejester.com http://github.com/abedra/compojure/commit/81fae95902f645ef3912fabb38dfcef9d29b6224 81fae95902f645ef3912fabb38dfcef9d29b6224 2009-09-13T07:38:17-07:00 2009-09-13T07:38:01-07:00 Added protection against malformed file paths as reported by Meredydd Luff 0706b984ff8e54a1ae4b4bc0abce8b2e0f1b22c9 weavejester jreeves@weavejester.com