X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=plugins%2Fmod_http_files.lua;h=3b60249559c6e7e42bee94699d0f14ba122f7c4b;hb=dcafa6940b57fdbd0ebd4c09bfb3b6122752be19;hp=bd39936d288d6a0e4368b1528c28cd8158f6fff3;hpb=a05b1705d4088a3ad158064a1ffc1561edb7b918;p=prosody.git

diff --git a/plugins/mod_http_files.lua b/plugins/mod_http_files.lua
index bd39936d..3b602495 100644
--- a/plugins/mod_http_files.lua
+++ b/plugins/mod_http_files.lua
@@ -1,7 +1,7 @@
 -- Prosody IM
 -- Copyright (C) 2008-2010 Matthew Wild
 -- Copyright (C) 2008-2010 Waqas Hussain
--- 
+--
 -- This project is MIT/X11 licensed. Please see the
 -- COPYING file in the source package for more information.
 --
@@ -14,12 +14,13 @@ local os_date = os.date;
 local open = io.open;
 local stat = lfs.attributes;
 local build_path = require"socket.url".build_path;
+local path_sep = package.config:sub(1,1);
 
 local base_path = module:get_option_string("http_files_dir", module:get_option_string("http_path"));
 local dir_indices = module:get_option("http_index_files", { "index.html", "index.htm" });
 local directory_index = module:get_option_boolean("http_dir_listing");
 
-local mime_map = module:shared("mime").types;
+local mime_map = module:shared("/*/http_files/mime").types;
 if not mime_map then
 	mime_map = {
 		html = "text/html", htm = "text/html",
@@ -32,7 +33,7 @@ if not mime_map then
 		jpeg = "image/jpeg", jpg = "image/jpeg",
 		svg = "image/svg+xml",
 	};
-	module:shared("mime").types = mime_map;
+	module:shared("/*/http_files/mime").types = mime_map;
 
 	local mime_types, err = open(module:get_option_string("mime_types_file", "/etc/mime.types"),"r");
 	if mime_types then
@@ -48,17 +49,57 @@ if not mime_map then
 	end
 end
 
+local forbidden_chars_pattern = "[/%z]";
+if prosody.platform == "windows" then
+	forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
+end
+
+local urldecode = require "util.http".urldecode;
+function sanitize_path(path)
+	if not path then return end
+	local out = {};
+
+	local c = 0;
+	for component in path:gmatch("([^/]+)") do
+		component = urldecode(component);
+		if component:find(forbidden_chars_pattern) then
+			return nil;
+		elseif component == ".." then
+			if c <= 0 then
+				return nil;
+			end
+			out[c] = nil;
+			c = c - 1;
+		elseif component ~= "." then
+			c = c + 1;
+			out[c] = component;
+		end
+	end
+	if path:sub(-1,-1) == "/" then
+		out[c+1] = "";
+	end
+	return "/"..table.concat(out, "/");
+end
+
 local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.
 
 function serve(opts)
+	if type(opts) ~= "table" then -- assume path string
+		opts = { path = opts };
+	end
 	local base_path = opts.path;
 	local dir_indices = opts.index_files or dir_indices;
 	local directory_index = opts.directory_index;
 	local function serve_file(event, path)
 		local request, response = event.request, event.response;
-		local orig_path = request.path;
-		local full_path = base_path .. (path and "/"..path or "");
-		local attr = stat(full_path);
+		local sanitized_path = sanitize_path(path);
+		if path and not sanitized_path then
+			return 400;
+		end
+		path = sanitized_path;
+		local orig_path = sanitize_path(request.path);
+		local full_path = base_path .. (path or ""):gsub("/", path_sep);
+		local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows
 		if not attr then
 			return 404;
 		end
@@ -78,11 +119,11 @@ function serve(opts)
 			return 304;
 		end
 
-		local data = cache[path];
+		local data = cache[orig_path];
 		if data and data.etag == etag then
 			response_headers.content_type = data.content_type;
 			data = data.data;
-		elseif attr.mode == "directory" then
+		elseif attr.mode == "directory" and path then
 			if full_path:sub(-1) ~= "/" then
 				local path = { is_absolute = true, is_directory = true };
 				for dir in orig_path:gmatch("[^/]+") do path[#path+1]=dir; end
@@ -101,7 +142,7 @@ function serve(opts)
 			if not data then
 				return 403;
 			end
-			cache[path] = { data = data, content_type = mime_map.html; etag = etag; };
+			cache[orig_path] = { data = data, content_type = mime_map.html; etag = etag; };
 			response_headers.content_type = mime_map.html;
 
 		else
@@ -114,9 +155,9 @@ function serve(opts)
 				module:log("debug", "Could not open or read %s. Error was %s", full_path, err);
 				return 403;
 			end
-			local ext = path:match("%.([^./]+)$");
+			local ext = full_path:match("%.([^./]+)$");
 			local content_type = ext and mime_map[ext];
-			cache[path] = { data = data; content_type = content_type; etag = etag };
+			cache[orig_path] = { data = data; content_type = content_type; etag = etag };
 			response_headers.content_type = content_type;
 		end
 
@@ -126,6 +167,14 @@ function serve(opts)
 	return serve_file;
 end
 
+function wrap_route(routes)
+	for route,handler in pairs(routes) do
+		if type(handler) ~= "function" then
+			routes[route] = serve(handler);
+		end
+	end
+	return routes;
+end
 
 if base_path then
 	module:provides("http", {