projects / prosody.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge 0.9->0.10
[prosody.git] / plugins / mod_http_files.lua
diff --git a/plugins/mod_http_files.lua b/plugins/mod_http_files.lua
index 59fd50aaf630799568e1b50d81cd632003922a2e..0c542714e711aea1f3e09e8dc5b37b1b1b89c4d0 100644 (file)
--- a/plugins/mod_http_files.lua
+++ b/plugins/mod_http_files.lua
@@ -1,7 +1,7 @@
 -- Prosody IM
 -- Copyright (C) 2008-2010 Matthew Wild
 -- Copyright (C) 2008-2010 Waqas Hussain
--- 
+--
 -- This project is MIT/X11 licensed. Please see the
 -- COPYING file in the source package for more information.
 --
@@ -14,6 +14,7 @@ local os_date = os.date;
 local open = io.open;
 local stat = lfs.attributes;
 local build_path = require"socket.url".build_path;
+local path_sep = package.config:sub(1,1);
 
 local base_path = module:get_option_string("http_files_dir", module:get_option_string("http_path"));
 local dir_indices = module:get_option("http_index_files", { "index.html", "index.htm" });
@@ -32,7 +33,7 @@ if not mime_map then
                jpeg = "image/jpeg", jpg = "image/jpeg",
                svg = "image/svg+xml",
        };
-       module:shared("mime").types = mime_map;
+       module:shared("/*/http_files/mime").types = mime_map;
 
        local mime_types, err = open(module:get_option_string("mime_types_file", "/etc/mime.types"),"r");
        if mime_types then
@@ -48,6 +49,34 @@ if not mime_map then
        end
 end
 
+local forbidden_chars_pattern = "[/%z]";
+if prosody.platform == "windows" then
+       forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
+end
+
+local urldecode = require "util.http".urldecode;
+function sanitize_path(path)
+       local out = {};
+
+       local c = 0;
+       for component in path:gmatch("([^/]+)") do
+               component = urldecode(component);
+               if component:find(forbidden_chars_pattern) then
+                       return nil;
+               elseif component == ".." then
+                       if c <= 0 then
+                               return nil;
+                       end
+                       out[c] = nil;
+                       c = c - 1;
+               elseif component ~= "." then
+                       c = c + 1;
+                       out[c] = component;
+               end
+       end
+       return "/"..table.concat(out, "/");
+end
+
 local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.
 
 function serve(opts)
@@ -59,9 +88,13 @@ function serve(opts)
        local directory_index = opts.directory_index;
        local function serve_file(event, path)
                local request, response = event.request, event.response;
-               local orig_path = request.path;
-               local full_path = base_path .. (path and "/"..path or "");
-               local attr = stat(full_path);
+               path = sanitize_path(path);
+               if not path then
+                       return 400;
+               end
+               local orig_path = sanitize_path(request.path);
+               local full_path = base_path .. (path and "/"..path or ""):gsub("/", path_sep);
+               local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows
                if not attr then
                        return 404;
                end