-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
---
+--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
module:depends("http");
+local server = require"net.http.server";
local lfs = require "lfs";
local os_date = os.date;
local open = io.open;
local stat = lfs.attributes;
local build_path = require"socket.url".build_path;
+local path_sep = package.config:sub(1,1);
local base_path = module:get_option_string("http_files_dir", module:get_option_string("http_path"));
local dir_indices = module:get_option("http_index_files", { "index.html", "index.htm" });
local directory_index = module:get_option_boolean("http_dir_listing");
-local mime_map = module:shared("mime").types;
+local mime_map = module:shared("/*/http_files/mime").types;
if not mime_map then
mime_map = {
html = "text/html", htm = "text/html",
jpeg = "image/jpeg", jpg = "image/jpeg",
svg = "image/svg+xml",
};
- module:shared("mime").types = mime_map;
+ module:shared("/*/http_files/mime").types = mime_map;
local mime_types, err = open(module:get_option_string("mime_types_file", "/etc/mime.types"),"r");
if mime_types then
end
end
+local forbidden_chars_pattern = "[/%z]";
+if prosody.platform == "windows" then
+ forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
+end
+
+local urldecode = require "util.http".urldecode;
+function sanitize_path(path)
+ if not path then return end
+ local out = {};
+
+ local c = 0;
+ for component in path:gmatch("([^/]+)") do
+ component = urldecode(component);
+ if component:find(forbidden_chars_pattern) then
+ return nil;
+ elseif component == ".." then
+ if c <= 0 then
+ return nil;
+ end
+ out[c] = nil;
+ c = c - 1;
+ elseif component ~= "." then
+ c = c + 1;
+ out[c] = component;
+ end
+ end
+ if path:sub(-1,-1) == "/" then
+ out[c+1] = "";
+ end
+ return "/"..table.concat(out, "/");
+end
+
local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.
function serve(opts)
+ if type(opts) ~= "table" then -- assume path string
+ opts = { path = opts };
+ end
local base_path = opts.path;
local dir_indices = opts.index_files or dir_indices;
local directory_index = opts.directory_index;
local function serve_file(event, path)
local request, response = event.request, event.response;
- local orig_path = request.path;
- local full_path = base_path .. (path and "/"..path or "");
- local attr = stat(full_path);
+ local sanitized_path = sanitize_path(path);
+ if path and not sanitized_path then
+ return 400;
+ end
+ path = sanitized_path;
+ local orig_path = sanitize_path(request.path);
+ local full_path = base_path .. (path or ""):gsub("/", path_sep);
+ local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows
if not attr then
return 404;
end
return 304;
end
- local data = cache[path];
+ local data = cache[orig_path];
if data and data.etag == etag then
response_headers.content_type = data.content_type;
data = data.data;
- elseif attr.mode == "directory" then
+ elseif attr.mode == "directory" and path then
if full_path:sub(-1) ~= "/" then
local path = { is_absolute = true, is_directory = true };
for dir in orig_path:gmatch("[^/]+") do path[#path+1]=dir; end
end
end
- if not directory_index then
+ if directory_index then
+ data = server._events.fire_event("directory-index", { path = request.path, full_path = full_path });
+ end
+ if not data then
return 403;
- else
- local html = require"util.stanza".stanza("html")
- :tag("head"):tag("title"):text(path):up()
- :tag("meta", { charset="utf-8" }):up()
- :up()
- :tag("body"):tag("h1"):text(path):up()
- :tag("ul");
- for file in lfs.dir(full_path) do
- if file:sub(1,1) ~= "." then
- local attr = stat(full_path..file) or {};
- html:tag("li", { class = attr.mode })
- :tag("a", { href = file }):text(file)
- :up():up();
- end
- end
- data = "<!DOCTYPE html>\n"..tostring(html);
- cache[path] = { data = data, content_type = mime_map.html; etag = etag; };
- response_headers.content_type = mime_map.html;
end
+ cache[orig_path] = { data = data, content_type = mime_map.html; etag = etag; };
+ response_headers.content_type = mime_map.html;
else
local f, err = open(full_path, "rb");
module:log("debug", "Could not open or read %s. Error was %s", full_path, err);
return 403;
end
- local ext = path:match("%.([^./]+)$");
+ local ext = full_path:match("%.([^./]+)$");
local content_type = ext and mime_map[ext];
- cache[path] = { data = data; content_type = content_type; etag = etag };
+ cache[orig_path] = { data = data; content_type = content_type; etag = etag };
response_headers.content_type = content_type;
end
return serve_file;
end
+function wrap_route(routes)
+ for route,handler in pairs(routes) do
+ if type(handler) ~= "function" then
+ routes[route] = serve(handler);
+ end
+ end
+ return routes;
+end
if base_path then
module:provides("http", {