Skip to content

Commit

Permalink
Fix Snap.Util.FileServe.getSafePath to reject non-relative paths
Browse files Browse the repository at this point in the history
  • Loading branch information
@gregorycollins
Carl Howells authored and gregorycollins committed Nov 10, 2010
1 parent e3f79bf commit dcd9993
Showing 1 changed file with 5 additions and 1 deletion.
6 changes: 5 additions & 1 deletion src/Snap/Util/FileServe.hs
View file
Expand Up @@ -172,10 +172,14 @@ getSafePath = do
req <- getRequest
let p = S.unpack $ rqPathInfo req

-- relative paths only!
when (not $ isRelative p) pass

-- check that we don't have any sneaky .. paths
let dirs = splitDirectories p
when (elem ".." dirs) pass
return p

return $ joinPath dirs


------------------------------------------------------------------------------
Expand Down

0 comments on commit dcd9993

Please sign in to comment.