summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatt Holt <mholt@users.noreply.github.com>2022-10-18 21:55:25 -0600
committerGitHub <noreply@github.com>2022-10-18 21:55:25 -0600
commit4bf6cb41990e16b1d99015aea080d06d7ef1152d (patch)
tree981536bcd4d6632a80e776717be9e983c0c01dd2
parent72e7edda1f79f36dad1f0aa60a3603e3f4f44412 (diff)
fileserver: Reject ADS and short name paths; trim trailing dots and spaces on Windows (#5148)
* fileserver: Reject ADS and short name paths * caddyhttp: Trim trailing space and dot on Windows Windows ignores trailing dots and spaces in filenames. * Fix test * Adjust path filters * Revert Windows test * Actually revert the test * Just check for colons
-rw-r--r--modules/caddyhttp/caddyhttp_test.go2
-rw-r--r--modules/caddyhttp/fileserver/staticfiles.go14
2 files changed, 15 insertions, 1 deletions
diff --git a/modules/caddyhttp/caddyhttp_test.go b/modules/caddyhttp/caddyhttp_test.go
index 1bca4d6..a14de78 100644
--- a/modules/caddyhttp/caddyhttp_test.go
+++ b/modules/caddyhttp/caddyhttp_test.go
@@ -87,7 +87,7 @@ func TestSanitizedPathJoin(t *testing.T) {
}
actual := SanitizedPathJoin(tc.inputRoot, u.Path)
if actual != tc.expect {
- t.Errorf("Test %d: SanitizedPathJoin('%s', '%s') => %s (expected '%s')",
+ t.Errorf("Test %d: SanitizedPathJoin('%s', '%s') => '%s' (expected '%s')",
i, tc.inputRoot, tc.inputPath, actual, tc.expect)
}
}
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index 04728ce..fe1a4fc 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -26,6 +26,7 @@ import (
"os"
"path"
"path/filepath"
+ "runtime"
"strconv"
"strings"
"time"
@@ -232,6 +233,19 @@ func (fsrv *FileServer) Provision(ctx caddy.Context) error {
func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
repl := r.Context().Value(caddy.ReplacerCtxKey).(*caddy.Replacer)
+ if runtime.GOOS == "windows" {
+ // reject paths with Alternate Data Streams (ADS)
+ if strings.Contains(r.URL.Path, ":") {
+ return caddyhttp.Error(http.StatusBadRequest, fmt.Errorf("illegal ADS path"))
+ }
+ // reject paths with "8.3" short names
+ trimmedPath := strings.TrimRight(r.URL.Path, ". ") // Windows ignores trailing dots and spaces, sigh
+ if len(path.Base(trimmedPath)) <= 12 && strings.Contains(trimmedPath, "~") {
+ return caddyhttp.Error(http.StatusBadRequest, fmt.Errorf("illegal short name"))
+ }
+ // both of those could bypass file hiding or possibly leak information even if the file is not hidden
+ }
+
filesToHide := fsrv.transformHidePaths(repl)
root := repl.ReplaceAll(fsrv.Root, ".")