Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Added protection against malformed file paths as reported by Meredydd

Luff
  • Loading branch information...
commit 81fae95902f645ef3912fabb38dfcef9d29b6224 1 parent fda9824
@weavejester authored
Showing with 16 additions and 5 deletions.
  1. +12 −5 src/compojure/http/helpers.clj
  2. +4 −0 test/compojure/http/helpers.clj
View
17 src/compojure/http/helpers.clj
@@ -54,6 +54,12 @@
#(.startsWith (.toLowerCase (.getName %)) "index.")
(.listFiles dir))))
+(defn safe-path?
+ "Is a filepath safe for a particular root?"
+ [root path]
+ (.startsWith (.getCanonicalPath (File. root path))
+ (.getCanonicalPath (File. root))))
+
(defn serve-file
"Attempts to serve up a static file from a directory, which defaults to
'./public'. Nil is returned if the file does not exist. If the file is a
@@ -62,8 +68,9 @@
(serve-file "public" path))
([root path]
(let [filepath (File. root path)]
- (cond
- (.isFile filepath)
- filepath
- (.isDirectory filepath)
- (find-index-file filepath)))))
+ (if (safe-path? root path)
+ (cond
+ (.isFile filepath)
+ filepath
+ (.isDirectory filepath)
+ (find-index-file filepath))))))
View
4 test/compojure/http/helpers.clj
@@ -15,3 +15,7 @@
(deftest test-content-type
(is (= (content-type "text/html")
{:headers {"Content-Type" "text/html"}})))
+
+(deftest test-safe-path
+ (is (not (safe-path? "/home/compojure" "../private/secret.txt")))
+ (is (safe-path? "/home/compojure" "public/index.html")))
Please sign in to comment.
Something went wrong with that request. Please try again.