fileserver: properly handle escaped/non-ascii paths (#4332)

* fileserver: properly handle escaped/non-ascii paths * fileserver: tests: accommodate Windows hate of colons in files names
author: Mohammed Al Sahaf <msaa1990@gmail.com> 2021-09-16 23:40:31 +0300
committer: GitHub <noreply@github.com> 2021-09-16 20:40:31 +0000
commit: 33c70f418f780f8e9524c73fbf4bbdbdbb9d7500 (patch)
tree: 7590c68508368624bf777e29850868f73cbbe35f /modules/caddyhttp/fileserver/staticfiles.go
parent: 2ebfda1ae93d356a2d3df53bf3411248886bafaf (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index 592b317..3e096e1 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -19,6 +19,7 @@ import (
 	weakrand "math/rand"
 	"mime"
 	"net/http"
+	"net/url"
 	"os"
 	"path"
 	"path/filepath"
@@ -165,6 +166,16 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
 	filesToHide := fsrv.transformHidePaths(repl)
 
 	root := repl.ReplaceAll(fsrv.Root, ".")
+	// PathUnescape returns an error if the escapes aren't well-formed,
+	// meaning the count % matches the RFC. Return early if the escape is
+	// improper.
+	if _, err := url.PathUnescape(r.URL.Path); err != nil {
+		fsrv.logger.Debug("improper path escape",
+			zap.String("site_root", root),
+			zap.String("request_path", r.URL.Path),
+			zap.Error(err))
+		return err
+	}
 	filename := caddyhttp.SanitizedPathJoin(root, r.URL.Path)
 
 	fsrv.logger.Debug("sanitized path join",
author	Mohammed Al Sahaf <msaa1990@gmail.com>	2021-09-16 23:40:31 +0300
committer	GitHub <noreply@github.com>	2021-09-16 20:40:31 +0000
commit	33c70f418f780f8e9524c73fbf4bbdbdbb9d7500 (patch)
tree	7590c68508368624bf777e29850868f73cbbe35f /modules/caddyhttp/fileserver/staticfiles.go
parent	2ebfda1ae93d356a2d3df53bf3411248886bafaf (diff)