X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_http_files.lua;h=0c542714e711aea1f3e09e8dc5b37b1b1b89c4d0;hb=3c561ed7ab90acb90ea8cec61d912586b91fe56b;hp=6ab295acf3070c9d2312e72a1a2f15519fb56370;hpb=00b1cf077c52d45336ae6194a706410b3b03db34;p=prosody.git

diff --git a/plugins/mod_http_files.lua b/plugins/mod_http_files.lua
index 6ab295ac..0c542714 100644
--- a/plugins/mod_http_files.lua
+++ b/plugins/mod_http_files.lua
@@ -1,7 +1,7 @@
 -- Prosody IM
 -- Copyright (C) 2008-2010 Matthew Wild
 -- Copyright (C) 2008-2010 Waqas Hussain
--- 
+--
 -- This project is MIT/X11 licensed. Please see the
 -- COPYING file in the source package for more information.
 --
@@ -14,6 +14,7 @@ local os_date = os.date;
 local open = io.open;
 local stat = lfs.attributes;
 local build_path = require"socket.url".build_path;
+local path_sep = package.config:sub(1,1);
 
 local base_path = module:get_option_string("http_files_dir", module:get_option_string("http_path"));
 local dir_indices = module:get_option("http_index_files", { "index.html", "index.htm" });
@@ -48,6 +49,34 @@ if not mime_map then
 	end
 end
 
+local forbidden_chars_pattern = "[/%z]";
+if prosody.platform == "windows" then
+	forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
+end
+
+local urldecode = require "util.http".urldecode;
+function sanitize_path(path)
+	local out = {};
+
+	local c = 0;
+	for component in path:gmatch("([^/]+)") do
+		component = urldecode(component);
+		if component:find(forbidden_chars_pattern) then
+			return nil;
+		elseif component == ".." then
+			if c <= 0 then
+				return nil;
+			end
+			out[c] = nil;
+			c = c - 1;
+		elseif component ~= "." then
+			c = c + 1;
+			out[c] = component;
+		end
+	end
+	return "/"..table.concat(out, "/");
+end
+
 local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.
 
 function serve(opts)
@@ -59,9 +88,13 @@ function serve(opts)
 	local directory_index = opts.directory_index;
 	local function serve_file(event, path)
 		local request, response = event.request, event.response;
-		local orig_path = request.path;
-		local full_path = base_path .. (path and "/"..path or "");
-		local attr = stat(full_path);
+		path = sanitize_path(path);
+		if not path then
+			return 400;
+		end
+		local orig_path = sanitize_path(request.path);
+		local full_path = base_path .. (path and "/"..path or ""):gsub("/", path_sep);
+		local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows
 		if not attr then
 			return 404;
 		end