Don’t allow going outside PAGES_DIRECTORY
alexshpilkin opened this issue · 1 comments
alexshpilkin commented
The server as it stands now will happily display things like /../
, /../../
, or ../../../../../../../../../../etc/passwd
. (Note that most modern browsers and even curl will refuse to make such requests, but, say, HTTPie won’t, and there’s always telnet.) Such requests should be treated as if PAGES_DIRECTORY
is the filesystem root.
klange commented
Not sure how that was missed in 8 years. I haven't read the HTTP specs in a while, but I think clients are expected to normalize paths, so hopefully checking for ..
as a path element and throwing Bad request
should be an appropriate solution.