Skip to content
Permalink
Browse files

http, bugfix: can't read parent of server root path (#495)

  • Loading branch information...
Fiber-Man authored and xicilion committed Apr 28, 2019
1 parent ebdcce6 commit 6cb9d5fe3703e5de2447a14501f6e7ee0db4525a
Showing with 125 additions and 2 deletions.
  1. +15 −2 fibjs/src/http/HttpFileHandler.cpp
  2. +110 −0 test/http_test.js
@@ -168,9 +168,14 @@ result_t HttpFileHandler::invoke(object_base* v, obj_ptr<Handler_base>& retVal,

m_req->get_value(m_value);
Url::decodeURI(m_value, m_value);
path_base::normalize(m_pThis->m_root + m_value, m_url);
path_posix_base::normalize(m_value, m_value);

set(start);
if (!qstrcmp(m_value.c_str(), "../", 3) || qstrchr(m_value.c_str(), '\\')) {
set(stop);
} else {
path_base::normalize(m_pThis->m_root + m_value, m_url);
set(start);
}
}

static int32_t start(AsyncState* pState, int32_t n)
@@ -196,6 +201,14 @@ result_t HttpFileHandler::invoke(object_base* v, obj_ptr<Handler_base>& retVal,
return fs_base::openFile(pThis->m_path, "r", pThis->m_file, pThis);
}

static int32_t stop(AsyncState* pState, int32_t n)
{
asyncInvoke* pThis = (asyncInvoke*)pState;

pThis->m_rep->set_statusCode(400);
return pThis->done(CALL_RETURN_NULL);
}

static int32_t autoindex(AsyncState* pState, int32_t n)
{
asyncInvoke* pThis = (asyncInvoke*)pState;
@@ -1313,6 +1313,116 @@ describe("http", () => {
rep.clear();
});
});

describe("check path", () => {
it("can read child path", () => {
let str = `this is test in sub folder.`;
let urls = [
'/http_autoindex/test_dir/',
'http_autoindex/../http_autoindex/test_dir/',
'/http_autoindex/test_dir/../../http_autoindex/test_dir/',
'http_autoindex/../http_autoindex/test_dir/../test_dir/',

'/http_autoindex%2ftest_dir%2f',
'/http_autoindex%2f..%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2ftest_dir%2f..%2f..%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2f..%2fhttp_autoindex%2ftest_dir%2f..%2ftest_dir%2f',

'/./http_autoindex/./test_dir/',
'/./http_autoindex/.././http_autoindex/test_dir/',
'/./http_autoindex/test_dir/../.././http_autoindex/./test_dir/',
'/./http_autoindex/.././http_autoindex/test_dir/../test_dir/',

'//http_autoindex//test_dir//',
'//http_autoindex//..//http_autoindex//test_dir//',
'//http_autoindex/test_dir//..//..//http_autoindex/test_dir//',
'//http_autoindex//..//http_autoindex//test_dir//../test_dir//',
];

hfHandler = new http.fileHandler(baseFolder);
urls.forEach(url => {
var resp = hfh_test(url + 'test.txt');
assert.equal(resp.statusCode, 200);
assert.equal(str, resp.readAll().toString());
});

hfHandler = new http.fileHandler("./");
urls.forEach(url => {
var resp = hfh_test(url + 'test.txt');
assert.equal(resp.statusCode, 200);
assert.equal(str, resp.readAll().toString());
})
});

it("can't read parent of server root path", () => {
let str = `this is test in sub folder.`;
let urls400 = [
'/http_autoindex\\test_dir/',
'http_autoindex/../http_autoindex\\test_dir/',
'/http_autoindex/test_dir/../../http_autoindex\\test_dir/',
'http_autoindex/../http_autoindex/test_dir\\..\\test_dir/',
'../test/http_autoindex/../test_dir/',
'../test/http_autoindex/../http_autoindex/test_dir/',
'../test/http_autoindex/test_dir/../../http_autoindex/test_dir/',
'../test/http_autoindex/../http_autoindex/test_dir/../test_dir/',

'../../fibjs/test/http_autoindex/test_dir/',
'../../fibjs/test/http_autoindex/../http_autoindex/test_dir/',
'../../fibjs/test/http_autoindex/test_dir/../../http_autoindex/test_dir/',
'../../fibjs/test/http_autoindex/../http_autoindex/test_dir/../test_dir/',
];

let urls404 = [
'/../test/http_autoindex/../test_dir/',
'/../test/http_autoindex/../http_autoindex/test_dir/',
'/../test/http_autoindex/test_dir/../../http_autoindex/test_dir/',
'/../test/http_autoindex/../http_autoindex/test_dir/../test_dir/',

'/../../fibjs/test/http_autoindex/test_dir/',
'/../../fibjs/test/http_autoindex/../http_autoindex/test_dir/',
'/../../fibjs/test/http_autoindex/test_dir/../../http_autoindex/test_dir/',
'/../../fibjs/test/http_autoindex/../http_autoindex/test_dir/../test_dir/',

'/http_autoindex%2ftest_dir%2f..%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2ftest_dir%2f..%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f..%2ftest_dir%2f',

'/http_autoindex%2ftest_dir%2f..%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2ftest_dir%2f..%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f',
'/http_autoindex%2f..%2f..%2ftest%2fhttp_autoindex%2ftest_dir%2f..%2ftest_dir%2f',
];

hfHandler = new http.fileHandler(baseFolder);
urls400.forEach(url => {
var resp = hfh_test(url + 'test.txt');
assert.equal(resp.statusCode, 400);
assert.equal(resp.length, 0);
});


urls404.forEach(url => {
var resp = hfh_test(url + 'test.txt');
assert.equal(resp.statusCode, 404);
assert.equal(resp.length, 0);
});


hfHandler = new http.fileHandler("./");
urls400.forEach(url => {
var resp = hfh_test(url + 'test.txt');
assert.equal(resp.statusCode, 400);
assert.equal(resp.length, 0);
});

urls404.forEach(url => {
var resp = hfh_test(url + 'test.txt');
assert.equal(resp.statusCode, 404);
assert.equal(resp.length, 0);
});
});
});
});

describe("server/global request", () => {

0 comments on commit 6cb9d5f

Please sign in to comment.
You can’t perform that action at this time.