It looks that RequestedPath::new() uses the result of decode_percents(...) without any filtering.
That allows a potential access to a parent directory of the Static's root.
For example, the following request might return the contents of /etc/passwd file.
I guess this behavior is unintentional because this could be an security vulnerability.
Hm, I would feel that this is a security risk yes. I would assume desirable behavior would be that you couldn't traverse "up" past the defined root.
Would you like to make a patch for this?
Sure. Let me try.
Normalize the request path
You're the best. :)
Released 0.3.1. Thanks @hayatoito!
My pleasure. Thank you for merging!