From dcd9993a0fb32493e7861d261c0814cc03fc12ce Mon Sep 17 00:00:00 2001
From: Carl Howells <chowells@others.local>
Date: Wed, 10 Nov 2010 11:52:48 -0800
Subject: [PATCH 1/2] Fix Snap.Util.FileServe.getSafePath to reject
 non-relative paths

---
 src/Snap/Util/FileServe.hs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/Snap/Util/FileServe.hs b/src/Snap/Util/FileServe.hs
index bd8222b0..8c6e3dc2 100644
--- a/src/Snap/Util/FileServe.hs
+++ b/src/Snap/Util/FileServe.hs
@@ -172,10 +172,14 @@ getSafePath = do
     req <- getRequest
     let p = S.unpack $ rqPathInfo req
 
+    -- relative paths only!
+    when (not $ isRelative p) pass
+
     -- check that we don't have any sneaky .. paths
     let dirs = splitDirectories p
     when (elem ".." dirs) pass
-    return p
+
+    return $ joinPath dirs
 
 
 ------------------------------------------------------------------------------

From 06d15e7c8c9eb45b1625b4f78bceaaac41cb8dac Mon Sep 17 00:00:00 2001
From: Gregory Collins <greg@gregorycollins.net>
Date: Wed, 10 Nov 2010 21:11:59 +0100
Subject: [PATCH 2/2] Bump snap-core version

---
 snap-core.cabal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/snap-core.cabal b/snap-core.cabal
index d5ac1059..f5e2e15f 100644
--- a/snap-core.cabal
+++ b/snap-core.cabal
@@ -1,5 +1,5 @@
 name:           snap-core
-version:        0.2.16
+version:        0.2.17
 synopsis:       Snap: A Haskell Web Framework (Core)
 
 description: