Skip to content

Standardize paths, fix path traversal #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 7, 2022
Merged

Standardize paths, fix path traversal #25

merged 1 commit into from
Apr 7, 2022

Conversation

huwr
Copy link
Collaborator

@huwr huwr commented Apr 7, 2022
edited
Loading

As per RFC-3986 5.2.4 (Remove Dot Segments), we want to remove ..s. We can use Foundation's URL.standardized features for that.

However, I am sleepy, so this may have missed something obvious.

Fixes /issues/24

@huwr
Standardize paths, fix path traversal
779fd2c 
As per RFC-3986 5.2.4 (Remove Dot Segments), we want to remove '..'s. We can use Foundation's `URL.standardized` features for that.

Fixes issues/24
@codecov
Copy link

codecov bot commented Apr 7, 2022
edited
Loading

Codecov Report

Merging #25 (779fd2c) into main (0984529) will not change coverage.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##             main      #25   +/-   ##
=======================================
  Coverage   99.75%   99.75%           
=======================================
  Files          42       42           
  Lines        2002     2002           
=======================================
  Hits         1997     1997           
  Misses          5        5
Impacted Files Coverage Δ
FlyingFox/Sources/HTTPDecoder.swift 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0984529...779fd2c. Read the comment docs.

@stackotter
Copy link
Contributor

I love the choice of branch name btw hahah. From now on I’m definitely going to call path traversals ‘naughty paths’.

swhitty
swhitty approved these changes Apr 7, 2022
View reviewed changes
Copy link
Owner

@swhitty swhitty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, a nice simple fix

@swhitty swhitty merged commit a71b191 into main Apr 7, 2022
@swhitty swhitty deleted the huwr/fix-naughty-paths branch April 7, 2022 21:45
@swhitty
Copy link
Owner

swhitty commented Apr 7, 2022
edited
Loading

Looks like we found another place where CoreLibsFoundation differs from Darwin Foundation. I have updated the test to pass here, but maybe we should normalise the behaviour across all platforms.

@stackotter
Copy link
Contributor

That is certainly very annoying. You would think it would be very easy for the two Foundations to have the same behaviour in that context, weird.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swhitty swhitty swhitty approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Security vulnerability: Path traversal in DirectoryHTTPHandler
3 participants
@huwr @stackotter @swhitty