Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix Snap.Util.FileServe.getSafePath to reject non-relative paths

  • Loading branch information...
commit dcd9993a0fb32493e7861d261c0814cc03fc12ce 1 parent e3f79bf
Carl Howells authored gregorycollins committed
Showing with 5 additions and 1 deletion.
  1. +5 −1 src/Snap/Util/FileServe.hs
View
6 src/Snap/Util/FileServe.hs
@@ -172,10 +172,14 @@ getSafePath = do
req <- getRequest
let p = S.unpack $ rqPathInfo req
+ -- relative paths only!
+ when (not $ isRelative p) pass
+
-- check that we don't have any sneaky .. paths
let dirs = splitDirectories p
when (elem ".." dirs) pass
- return p
+
+ return $ joinPath dirs
------------------------------------------------------------------------------
Please sign in to comment.
Something went wrong with that request. Please try again.