I found few errors in the etorrent_cowboy_handler.erl file. I can get access to any file on the erlang node throw cowboy:
telnet 127.0.0.1 8080
GET /../../../../../log/console.log HTTP/1.0
And mimetypes:filename returns undefined (not unknown).
Can you with this patch? It attempts being a bit more limiting to what you can put in, but my PropEr test might not be tight enough.
Thanks for reporting it. I'd rather go for something which is not a white-list if possible.
I'd look into the mimetypes error later today perhaps :)
I think the part of the system, which handles requests to the real files must be implemented in the cowboy application. It will be more elegant way to solving this problem.
I agree. @klaar has been working on writing a static file handler for Cowboy I think, so I can ask him about what he has done there and adopt it.
I found it:
We just merged a simpler version of that into the master branch of extend/cowboy, batteries included!