Added protection against malformed file paths as reported by Meredydd

Luff
weavejester · Sep 13, 2009 · 81fae95 · 81fae95
1 parent fda9824
commit 81fae95
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/src/compojure/http/helpers.clj b/src/compojure/http/helpers.clj
@@ -54,6 +54,12 @@
       #(.startsWith (.toLowerCase (.getName %)) "index.")
        (.listFiles dir))))
 
+(defn safe-path?
+  "Is a filepath safe for a particular root?"
+  [root path]
+  (.startsWith (.getCanonicalPath (File. root path))
+               (.getCanonicalPath (File. root))))
+
 (defn serve-file
   "Attempts to serve up a static file from a directory, which defaults to
   './public'. Nil is returned if the file does not exist. If the file is a
@@ -62,8 +68,9 @@
     (serve-file "public" path))
   ([root path]
     (let [filepath (File. root path)]
-      (cond
-        (.isFile filepath)
-          filepath
-        (.isDirectory filepath)
-          (find-index-file filepath)))))
+      (if (safe-path? root path)
+        (cond 
+          (.isFile filepath)
+            filepath
+          (.isDirectory filepath)
+            (find-index-file filepath))))))
diff --git a/test/compojure/http/helpers.clj b/test/compojure/http/helpers.clj
@@ -15,3 +15,7 @@
 (deftest test-content-type
   (is (= (content-type "text/html")
          {:headers {"Content-Type" "text/html"}})))
+
+(deftest test-safe-path
+  (is (not (safe-path? "/home/compojure" "../private/secret.txt")))
+  (is (safe-path? "/home/compojure" "public/index.html")))