diff options
author | Mohammed Al Sahaf <msaa1990@gmail.com> | 2021-09-16 23:40:31 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-16 20:40:31 +0000 |
commit | 33c70f418f780f8e9524c73fbf4bbdbdbb9d7500 (patch) | |
tree | 7590c68508368624bf777e29850868f73cbbe35f /modules/caddyhttp/fileserver/staticfiles.go | |
parent | 2ebfda1ae93d356a2d3df53bf3411248886bafaf (diff) |
fileserver: properly handle escaped/non-ascii paths (#4332)
* fileserver: properly handle escaped/non-ascii paths
* fileserver: tests: accommodate Windows hate of colons in files names
Diffstat (limited to 'modules/caddyhttp/fileserver/staticfiles.go')
-rw-r--r-- | modules/caddyhttp/fileserver/staticfiles.go | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go index 592b317..3e096e1 100644 --- a/modules/caddyhttp/fileserver/staticfiles.go +++ b/modules/caddyhttp/fileserver/staticfiles.go @@ -19,6 +19,7 @@ import ( weakrand "math/rand" "mime" "net/http" + "net/url" "os" "path" "path/filepath" @@ -165,6 +166,16 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c filesToHide := fsrv.transformHidePaths(repl) root := repl.ReplaceAll(fsrv.Root, ".") + // PathUnescape returns an error if the escapes aren't well-formed, + // meaning the count % matches the RFC. Return early if the escape is + // improper. + if _, err := url.PathUnescape(r.URL.Path); err != nil { + fsrv.logger.Debug("improper path escape", + zap.String("site_root", root), + zap.String("request_path", r.URL.Path), + zap.Error(err)) + return err + } filename := caddyhttp.SanitizedPathJoin(root, r.URL.Path) fsrv.logger.Debug("sanitized path join", |