Default error handler; rename StaticFiles -> FileServer

author: Matthew Holt <mholt@users.noreply.github.com> 2019-05-20 21:21:33 -0600
committer: Matthew Holt <mholt@users.noreply.github.com> 2019-05-20 21:21:33 -0600
commit: a9698728506c580bc38db2e122a5e6ef07f85ce6 (patch)
tree: a583112f114fc01e09867aa123578861637b04d5 /modules/caddyhttp/fileserver
parent: aaacab1bc3790e3a207ae5d70ca6559cac265bff (diff)
6 files changed, 1359 insertions, 0 deletions
diff --git a/modules/caddyhttp/fileserver/browse.go b/modules/caddyhttp/fileserver/browse.go
new file mode 100644
index 0000000..ed5ad42
--- /dev/null
+++ b/modules/caddyhttp/fileserver/browse.go
@@ -0,0 +1,157 @@
+package fileserver
+
+import (
+	"bytes"
+	"encoding/json"
+	"html/template"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+
+	"bitbucket.org/lightcodelabs/caddy2"
+	"bitbucket.org/lightcodelabs/caddy2/modules/caddyhttp"
+)
+
+// Browse configures directory browsing.
+type Browse struct {
+	TemplateFile string `json:"template_file"`
+
+	template *template.Template
+}
+
+func (fsrv *FileServer) serveBrowse(dirPath string, w http.ResponseWriter, r *http.Request) error {
+	dir, err := fsrv.openFile(dirPath, w)
+	if err != nil {
+		return err
+	}
+	defer dir.Close()
+
+	repl := r.Context().Value(caddy2.ReplacerCtxKey).(caddy2.Replacer)
+
+	listing, err := fsrv.loadDirectoryContents(dir, r.URL.Path, repl)
+	switch {
+	case os.IsPermission(err):
+		return caddyhttp.Error(http.StatusForbidden, err)
+	case os.IsNotExist(err):
+		return caddyhttp.Error(http.StatusNotFound, err)
+	case err != nil:
+		return caddyhttp.Error(http.StatusInternalServerError, err)
+	}
+
+	fsrv.browseApplyQueryParams(w, r, &listing)
+
+	// write response as either JSON or HTML
+	var buf *bytes.Buffer
+	acceptHeader := strings.ToLower(strings.Join(r.Header["Accept"], ","))
+	if strings.Contains(acceptHeader, "application/json") {
+		if buf, err = fsrv.browseWriteJSON(listing); err != nil {
+			return caddyhttp.Error(http.StatusInternalServerError, err)
+		}
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	} else {
+		if buf, err = fsrv.browseWriteHTML(listing); err != nil {
+			return caddyhttp.Error(http.StatusInternalServerError, err)
+		}
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	}
+	buf.WriteTo(w)
+
+	return nil
+
+	// TODO: Sigh... do we have to put this here?
+	// // Browsing navigation gets messed up if browsing a directory
+	// // that doesn't end in "/" (which it should, anyway)
+	// u := *r.URL
+	// if u.Path == "" {
+	// 	u.Path = "/"
+	// }
+	// if u.Path[len(u.Path)-1] != '/' {
+	// 	u.Path += "/"
+	// 	http.Redirect(w, r, u.String(), http.StatusMovedPermanently)
+	// 	return http.StatusMovedPermanently, nil
+	// }
+
+	// return b.ServeListing(w, r, requestedFilepath, bc)
+}
+
+func (fsrv *FileServer) loadDirectoryContents(dir *os.File, urlPath string, repl caddy2.Replacer) (browseListing, error) {
+	files, err := dir.Readdir(-1)
+	if err != nil {
+		return browseListing{}, err
+	}
+
+	// determine if user can browse up another folder
+	curPathDir := path.Dir(strings.TrimSuffix(urlPath, "/"))
+	canGoUp := strings.HasPrefix(curPathDir, fsrv.Root)
+
+	return fsrv.directoryListing(files, canGoUp, urlPath, repl), nil
+}
+
+// browseApplyQueryParams applies query parameters to the listing.
+// It mutates the listing and may set cookies.
+func (fsrv *FileServer) browseApplyQueryParams(w http.ResponseWriter, r *http.Request, listing *browseListing) {
+	sortParam := r.URL.Query().Get("sort")
+	orderParam := r.URL.Query().Get("order")
+	limitParam := r.URL.Query().Get("limit")
+
+	// first figure out what to sort by
+	switch sortParam {
+	case "":
+		sortParam = sortByNameDirFirst
+		if sortCookie, sortErr := r.Cookie("sort"); sortErr == nil {
+			sortParam = sortCookie.Value
+		}
+	case sortByName, sortByNameDirFirst, sortBySize, sortByTime:
+		http.SetCookie(w, &http.Cookie{Name: "sort", Value: sortParam, Secure: r.TLS != nil})
+	}
+
+	// then figure out the order
+	switch orderParam {
+	case "":
+		orderParam = "asc"
+		if orderCookie, orderErr := r.Cookie("order"); orderErr == nil {
+			orderParam = orderCookie.Value
+		}
+	case "asc", "desc":
+		http.SetCookie(w, &http.Cookie{Name: "order", Value: orderParam, Secure: r.TLS != nil})
+	}
+
+	// finally, apply the sorting and limiting
+	listing.applySortAndLimit(sortParam, orderParam, limitParam)
+}
+
+func (fsrv *FileServer) browseWriteJSON(listing browseListing) (*bytes.Buffer, error) {
+	buf := new(bytes.Buffer)
+	err := json.NewEncoder(buf).Encode(listing.Items)
+	return buf, err
+}
+
+func (fsrv *FileServer) browseWriteHTML(listing browseListing) (*bytes.Buffer, error) {
+	buf := new(bytes.Buffer)
+	err := fsrv.Browse.template.Execute(buf, listing)
+	return buf, err
+}
+
+// isSymlink return true if f is a symbolic link
+func isSymlink(f os.FileInfo) bool {
+	return f.Mode()&os.ModeSymlink != 0
+}
+
+// isSymlinkTargetDir return true if f's symbolic link target
+// is a directory. Return false if not a symbolic link.
+// TODO: Re-implement
+func isSymlinkTargetDir(f os.FileInfo, urlPath string) bool {
+	// if !isSymlink(f) {
+	// 	return false
+	// }
+
+	// // TODO: Ensure path is sanitized
+	// target:= path.Join(root, urlPath, f.Name()))
+	// targetInfo, err := os.Stat(target)
+	// if err != nil {
+	// 	return false
+	// }
+	// return targetInfo.IsDir()
+	return false
+}
diff --git a/modules/caddyhttp/fileserver/browselisting.go b/modules/caddyhttp/fileserver/browselisting.go
new file mode 100644
index 0000000..e17b7ae
--- /dev/null
+++ b/modules/caddyhttp/fileserver/browselisting.go
@@ -0,0 +1,245 @@
+package fileserver
+
+import (
+	"net/url"
+	"os"
+	"path"
+	"sort"
+	"strconv"
+	"strings"
+	"time"
+
+	"bitbucket.org/lightcodelabs/caddy2"
+	"github.com/dustin/go-humanize"
+)
+
+func (fsrv *FileServer) directoryListing(files []os.FileInfo, canGoUp bool, urlPath string, repl caddy2.Replacer) browseListing {
+	filesToHide := fsrv.transformHidePaths(repl)
+
+	var (
+		fileInfos           []fileInfo
+		dirCount, fileCount int
+	)
+
+	for _, f := range files {
+		name := f.Name()
+
+		if fileHidden(name, filesToHide) {
+			continue
+		}
+
+		isDir := f.IsDir() || isSymlinkTargetDir(f, urlPath)
+
+		if isDir {
+			name += "/"
+			dirCount++
+		} else {
+			fileCount++
+		}
+
+		u := url.URL{Path: "./" + name} // prepend with "./" to fix paths with ':' in the name
+
+		fileInfos = append(fileInfos, fileInfo{
+			IsDir:     isDir,
+			IsSymlink: isSymlink(f),
+			Name:      f.Name(),
+			Size:      f.Size(),
+			URL:       u.String(),
+			ModTime:   f.ModTime().UTC(),
+			Mode:      f.Mode(),
+		})
+	}
+
+	return browseListing{
+		Name:     path.Base(urlPath),
+		Path:     urlPath,
+		CanGoUp:  canGoUp,
+		Items:    fileInfos,
+		NumDirs:  dirCount,
+		NumFiles: fileCount,
+	}
+}
+
+type browseListing struct {
+	// The name of the directory (the last element of the path).
+	Name string
+
+	// The full path of the request.
+	Path string
+
+	// Whether the parent directory is browseable.
+	CanGoUp bool
+
+	// The items (files and folders) in the path.
+	Items []fileInfo
+
+	// The number of directories in the listing.
+	NumDirs int
+
+	// The number of files (items that aren't directories) in the listing.
+	NumFiles int
+
+	// Sort column used
+	Sort string
+
+	// Sorting order
+	Order string
+
+	// If ≠0 then Items have been limited to that many elements.
+	ItemsLimitedTo int
+}
+
+// Breadcrumbs returns l.Path where every element maps
+// the link to the text to display.
+func (l browseListing) Breadcrumbs() []crumb {
+	var result []crumb
+
+	if len(l.Path) == 0 {
+		return result
+	}
+
+	// skip trailing slash
+	lpath := l.Path
+	if lpath[len(lpath)-1] == '/' {
+		lpath = lpath[:len(lpath)-1]
+	}
+
+	parts := strings.Split(lpath, "/")
+	for i := range parts {
+		txt := parts[i]
+		if i == 0 && parts[i] == "" {
+			txt = "/"
+		}
+		lnk := strings.Repeat("../", len(parts)-i-1)
+		result = append(result, crumb{Link: lnk, Text: txt})
+	}
+
+	return result
+}
+
+func (l *browseListing) applySortAndLimit(sortParam, orderParam, limitParam string) {
+	l.Sort = sortParam
+	l.Order = orderParam
+
+	if l.Order == "desc" {
+		switch l.Sort {
+		case sortByName:
+			sort.Sort(sort.Reverse(byName(*l)))
+		case sortByNameDirFirst:
+			sort.Sort(sort.Reverse(byNameDirFirst(*l)))
+		case sortBySize:
+			sort.Sort(sort.Reverse(bySize(*l)))
+		case sortByTime:
+			sort.Sort(sort.Reverse(byTime(*l)))
+		}
+	} else {
+		switch l.Sort {
+		case sortByName:
+			sort.Sort(byName(*l))
+		case sortByNameDirFirst:
+			sort.Sort(byNameDirFirst(*l))
+		case sortBySize:
+			sort.Sort(bySize(*l))
+		case sortByTime:
+			sort.Sort(byTime(*l))
+		}
+	}
+
+	if limitParam != "" {
+		limit, _ := strconv.Atoi(limitParam)
+		if limit > 0 && limit <= len(l.Items) {
+			l.Items = l.Items[:limit]
+			l.ItemsLimitedTo = limit
+		}
+	}
+}
+
+// crumb represents part of a breadcrumb menu,
+// pairing a link with the text to display.
+type crumb struct {
+	Link, Text string
+}
+
+// fileInfo contains serializable information
+// about a file or directory.
+type fileInfo struct {
+	Name      string      `json:"name"`
+	Size      int64       `json:"size"`
+	URL       string      `json:"url"`
+	ModTime   time.Time   `json:"mod_time"`
+	Mode      os.FileMode `json:"mode"`
+	IsDir     bool        `json:"is_dir"`
+	IsSymlink bool        `json:"is_symlink"`
+}
+
+// HumanSize returns the size of the file as a
+// human-readable string in IEC format (i.e.
+// power of 2 or base 1024).
+func (fi fileInfo) HumanSize() string {
+	return humanize.IBytes(uint64(fi.Size))
+}
+
+// HumanModTime returns the modified time of the file
+// as a human-readable string given by format.
+func (fi fileInfo) HumanModTime(format string) string {
+	return fi.ModTime.Format(format)
+}
+
+type byName browseListing
+type byNameDirFirst browseListing
+type bySize browseListing
+type byTime browseListing
+
+func (l byName) Len() int      { return len(l.Items) }
+func (l byName) Swap(i, j int) { l.Items[i], l.Items[j] = l.Items[j], l.Items[i] }
+
+func (l byName) Less(i, j int) bool {
+	return strings.ToLower(l.Items[i].Name) < strings.ToLower(l.Items[j].Name)
+}
+
+func (l byNameDirFirst) Len() int      { return len(l.Items) }
+func (l byNameDirFirst) Swap(i, j int) { l.Items[i], l.Items[j] = l.Items[j], l.Items[i] }
+
+func (l byNameDirFirst) Less(i, j int) bool {
+	// sort by name if both are dir or file
+	if l.Items[i].IsDir == l.Items[j].IsDir {
+		return strings.ToLower(l.Items[i].Name) < strings.ToLower(l.Items[j].Name)
+	}
+	// sort dir ahead of file
+	return l.Items[i].IsDir
+}
+
+func (l bySize) Len() int      { return len(l.Items) }
+func (l bySize) Swap(i, j int) { l.Items[i], l.Items[j] = l.Items[j], l.Items[i] }
+
+func (l bySize) Less(i, j int) bool {
+	const directoryOffset = -1 << 31 // = -math.MinInt32
+
+	iSize, jSize := l.Items[i].Size, l.Items[j].Size
+
+	// directory sizes depend on the file system; to
+	// provide a consistent experience, put them up front
+	// and sort them by name
+	if l.Items[i].IsDir {
+		iSize = directoryOffset
+	}
+	if l.Items[j].IsDir {
+		jSize = directoryOffset
+	}
+	if l.Items[i].IsDir && l.Items[j].IsDir {
+		return strings.ToLower(l.Items[i].Name) < strings.ToLower(l.Items[j].Name)
+	}
+
+	return iSize < jSize
+}
+
+func (l byTime) Len() int           { return len(l.Items) }
+func (l byTime) Swap(i, j int)      { l.Items[i], l.Items[j] = l.Items[j], l.Items[i] }
+func (l byTime) Less(i, j int) bool { return l.Items[i].ModTime.Before(l.Items[j].ModTime) }
+
+const (
+	sortByName         = "name"
+	sortByNameDirFirst = "name_dir_first"
+	sortBySize         = "size"
+	sortByTime         = "time"
+)
diff --git a/modules/caddyhttp/fileserver/browsetpl.go b/modules/caddyhttp/fileserver/browsetpl.go
new file mode 100644
index 0000000..aebf146
--- /dev/null
+++ b/modules/caddyhttp/fileserver/browsetpl.go
@@ -0,0 +1,403 @@
+package fileserver
+
+const defaultBrowseTemplate = `<!DOCTYPE html>
+<html>
+	<head>
+		<title>{{html .Name}}</title>
+		<meta charset="utf-8">
+		<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<style>
+* { padding: 0; margin: 0; }
+
+body {
+	font-family: sans-serif;
+	text-rendering: optimizespeed;
+	background-color: #ffffff;
+}
+
+a {
+	color: #006ed3;
+	text-decoration: none;
+}
+
+a:hover,
+h1 a:hover {
+	color: #319cff;
+}
+
+header,
+#summary {
+	padding-left: 5%;
+	padding-right: 5%;
+}
+
+th:first-child,
+td:first-child {
+	width: 5%;
+}
+
+th:last-child,
+td:last-child {
+	width: 5%;
+}
+
+header {
+	padding-top: 25px;
+	padding-bottom: 15px;
+	background-color: #f2f2f2;
+}
+
+h1 {
+	font-size: 20px;
+	font-weight: normal;
+	white-space: nowrap;
+	overflow-x: hidden;
+	text-overflow: ellipsis;
+	color: #999;
+}
+
+h1 a {
+	color: #000;
+	margin: 0 4px;
+}
+
+h1 a:hover {
+	text-decoration: underline;
+}
+
+h1 a:first-child {
+	margin: 0;
+}
+
+main {
+	display: block;
+}
+
+.meta {
+	font-size: 12px;
+	font-family: Verdana, sans-serif;
+	border-bottom: 1px solid #9C9C9C;
+	padding-top: 10px;
+	padding-bottom: 10px;
+}
+
+.meta-item {
+	margin-right: 1em;
+}
+
+#filter {
+	padding: 4px;
+	border: 1px solid #CCC;
+}
+
+table {
+	width: 100%;
+	border-collapse: collapse;
+}
+
+tr {
+	border-bottom: 1px dashed #dadada;
+}
+
+tbody tr:hover {
+	background-color: #ffffec;
+}
+
+th,
+td {
+	text-align: left;
+	padding: 10px 0;
+}
+
+th {
+	padding-top: 15px;
+	padding-bottom: 15px;
+	font-size: 16px;
+	white-space: nowrap;
+}
+
+th a {
+	color: black;
+}
+
+th svg {
+	vertical-align: middle;
+}
+
+td {
+	white-space: nowrap;
+	font-size: 14px;
+}
+
+td:nth-child(2) {
+	width: 80%;
+}
+
+td:nth-child(3),
+th:nth-child(3) {
+	padding: 0 20px 0 20px;
+}
+
+th:nth-child(4),
+td:nth-child(4) {
+	text-align: right;
+}
+
+td:nth-child(2) svg {
+	position: absolute;
+}
+
+td .name,
+td .goup {
+	margin-left: 1.75em;
+	word-break: break-all;
+	overflow-wrap: break-word;
+	white-space: pre-wrap;
+}
+
+.icon {
+	margin-right: 5px;
+}
+
+.icon.sort {
+	display: inline-block;
+	width: 1em;
+	height: 1em;
+	position: relative;
+	top: .2em;
+}
+
+.icon.sort .top {
+	position: absolute;
+	left: 0;
+	top: -1px;
+}
+
+.icon.sort .bottom {
+	position: absolute;
+	bottom: -1px;
+	left: 0;
+}
+
+footer {
+	padding: 40px 20px;
+	font-size: 12px;
+	text-align: center;
+}
+
+@media (max-width: 600px) {
+	.hideable {
+		display: none;
+	}
+
+	td:nth-child(2) {
+		width: auto;
+	}
+
+	th:nth-child(3),
+	td:nth-child(3) {
+		padding-right: 5%;
+		text-align: right;
+	}
+
+	h1 {
+		color: #000;
+	}
+
+	h1 a {
+		margin: 0;
+	}
+
+	#filter {
+		max-width: 100px;
+	}
+}
+</style>
+	</head>
+	<body onload='filter()'>
+		<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" height="0" width="0" style="position: absolute;">
+			<defs>
+				<!-- Folder -->
+				<g id="folder" fill-rule="nonzero" fill="none">
+					<path d="M285.22 37.55h-142.6L110.9 0H31.7C14.25 0 0 16.9 0 37.55v75.1h316.92V75.1c0-20.65-14.26-37.55-31.7-37.55z" fill="#FFA000"/>
+					<path d="M285.22 36H31.7C14.25 36 0 50.28 0 67.74v158.7c0 17.47 14.26 31.75 31.7 31.75H285.2c17.44 0 31.7-14.3 31.7-31.75V67.75c0-17.47-14.26-31.75-31.7-31.75z" fill="#FFCA28"/>
+				</g>
+				<g id="folder-shortcut" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+					<g id="folder-shortcut-group" fill-rule="nonzero">
+						<g id="folder-shortcut-shape">
+							<path d="M285.224876,37.5486902 L142.612438,37.5486902 L110.920785,0 L31.6916529,0 C14.2612438,0 0,16.8969106 0,37.5486902 L0,112.646071 L316.916529,112.646071 L316.916529,75.0973805 C316.916529,54.4456008 302.655285,37.5486902 285.224876,37.5486902 Z" id="Shape" fill="#FFA000"></path>
+							<path d="M285.224876,36 L31.6916529,36 C14.2612438,36 0,50.2838568 0,67.7419039 L0,226.451424 C0,243.909471 14.2612438,258.193328 31.6916529,258.193328 L285.224876,258.193328 C302.655285,258.193328 316.916529,243.909471 316.916529,226.451424 L316.916529,67.7419039 C316.916529,50.2838568 302.655285,36 285.224876,36 Z" id="Shape" fill="#FFCA28"></path>
+						</g>
+						<path d="M126.154134,250.559184 C126.850974,251.883673 127.300549,253.006122 127.772602,254.106122 C128.469442,255.206122 128.919016,256.104082 129.638335,257.002041 C130.559962,258.326531 131.728855,259 133.100057,259 C134.493737,259 135.415364,258.55102 136.112204,257.67551 C136.809044,257.002041 137.258619,255.902041 137.258619,254.577551 C137.258619,253.904082 137.258619,252.804082 137.033832,251.457143 C136.786566,249.908163 136.561779,249.032653 136.561779,248.583673 C136.089726,242.814286 135.864939,237.920408 135.864939,233.273469 C135.864939,225.057143 136.786566,217.514286 138.180246,210.846939 C139.798713,204.202041 141.889234,198.634694 144.429328,193.763265 C147.216689,188.869388 150.678411,184.873469 154.836973,181.326531 C158.995535,177.779592 163.626149,174.883673 168.481552,172.661224 C173.336954,170.438776 179.113983,168.665306 185.587852,167.340816 C192.061722,166.218367 198.760378,165.342857 205.481514,164.669388 C212.18017,164.220408 219.598146,163.995918 228.162535,163.995918 L246.055591,163.995918 L246.055591,195.514286 C246.055591,197.736735 246.752431,199.510204 248.370899,201.059184 C250.214153,202.608163 252.079886,203.506122 254.372715,203.506122 C256.463236,203.506122 258.531277,202.608163 260.172223,201.059184 L326.102289,137.797959 C327.720757,136.24898 328.642384,134.47551 328.642384,132.253061 C328.642384,130.030612 327.720757,128.257143 326.102289,126.708163 L260.172223,63.4469388 C258.553756,61.8979592 256.463236,61 254.395194,61 C252.079886,61 250.236632,61.8979592 248.393377,63.4469388 C246.77491,64.9959184 246.07807,66.7693878 246.07807,68.9918367 L246.07807,100.510204 L228.162535,100.510204 C166.863084,100.510204 129.166282,117.167347 115.274437,150.459184 C110.666301,161.54898 108.350993,175.310204 108.350993,191.742857 C108.350993,205.279592 113.903236,223.912245 124.760454,247.438776 C125.00772,248.112245 125.457294,249.010204 126.154134,250.559184 Z" id="Shape" fill="#FFFFFF" transform="translate(218.496689, 160.000000) scale(-1, 1) translate(-218.496689, -160.000000) "></path>
+					</g>
+				</g>
+
+				<!-- File -->
+				<g id="file" stroke="#000" stroke-width="25" fill="#FFF" fill-rule="evenodd" stroke-linecap="round" stroke-linejoin="round">
+					<path d="M13 24.12v274.76c0 6.16 5.87 11.12 13.17 11.12H239c7.3 0 13.17-4.96 13.17-11.12V136.15S132.6 13 128.37 13H26.17C18.87 13 13 17.96 13 24.12z"/>
+					<path d="M129.37 13L129 113.9c0 10.58 7.26 19.1 16.27 19.1H249L129.37 13z"/>
+				</g>
+				<g id="file-shortcut" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+					<g id="file-shortcut-group" transform="translate(13.000000, 13.000000)">
+						<g id="file-shortcut-shape" stroke="#000000" stroke-width="25" fill="#FFFFFF" stroke-linecap="round" stroke-linejoin="round">
+							<path d="M0,11.1214886 L0,285.878477 C0,292.039924 5.87498876,296.999983 13.1728373,296.999983 L225.997983,296.999983 C233.295974,296.999983 239.17082,292.039942 239.17082,285.878477 L239.17082,123.145388 C239.17082,123.145388 119.58541,2.84217094e-14 115.369423,2.84217094e-14 L13.1728576,2.84217094e-14 C5.87500907,-1.71479982e-05 0,4.96022995 0,11.1214886 Z" id="rect1171"></path>
+							<path d="M116.37005,0 L116,100.904964 C116,111.483663 123.258008,120 132.273377,120 L236,120 L116.37005,0 L116.37005,0 Z" id="rect1794"></path>
+						</g>
+						<path d="M47.803141,294.093878 C48.4999811,295.177551 48.9495553,296.095918 49.4216083,296.995918 C50.1184484,297.895918 50.5680227,298.630612 51.2873415,299.365306 C52.2089688,300.44898 53.3778619,301 54.7490634,301 C56.1427436,301 57.0643709,300.632653 57.761211,299.916327 C58.4580511,299.365306 58.9076254,298.465306 58.9076254,297.381633 C58.9076254,296.830612 58.9076254,295.930612 58.6828382,294.828571 C58.4355724,293.561224 58.2107852,292.844898 58.2107852,292.477551 C57.7387323,287.757143 57.5139451,283.753061 57.5139451,279.95102 C57.5139451,273.228571 58.4355724,267.057143 59.8292526,261.602041 C61.44772,256.165306 63.5382403,251.610204 66.0783349,247.62449 C68.8656954,243.620408 72.3274172,240.35102 76.4859792,237.44898 C80.6445412,234.546939 85.2751561,232.177551 90.1305582,230.359184 C94.9859603,228.540816 100.76299,227.089796 107.236859,226.006122 C113.710728,225.087755 120.409385,224.371429 127.13052,223.820408 C133.829177,223.453061 141.247152,223.269388 149.811542,223.269388 L167.704598,223.269388 L167.704598,249.057143 C167.704598,250.87551 168.401438,252.326531 170.019905,253.593878 C171.86316,254.861224 173.728893,255.595918 176.021722,255.595918 C178.112242,255.595918 180.180284,254.861224 181.82123,253.593878 L247.751296,201.834694 C249.369763,200.567347 250.291391,199.116327 250.291391,197.297959 C250.291391,195.479592 249.369763,194.028571 247.751296,192.761224 L181.82123,141.002041 C180.202763,139.734694 178.112242,139 176.044201,139 C173.728893,139 171.885639,139.734694 170.042384,141.002041 C168.423917,142.269388 167.727077,143.720408 167.727077,145.538776 L167.727077,171.326531 L149.811542,171.326531 C88.5120908,171.326531 50.8152886,184.955102 36.9234437,212.193878 C32.3153075,221.267347 30,232.526531 30,245.971429 C30,257.046939 35.5522422,272.291837 46.4094607,291.540816 C46.6567266,292.091837 47.1063009,292.826531 47.803141,294.093878 Z" id="Shape-Copy" fill="#000000" fill-rule="nonzero" transform="translate(140.145695, 220.000000) scale(-1, 1) translate(-140.145695, -220.000000) "></path>
+					</g>
+				</g>
+
+				<!-- Up arrow -->
+				<g id="up-arrow" transform="translate(-279.22 -208.12)">
+					<path transform="matrix(.22413 0 0 .12089 335.67 164.35)" stroke-width="0" d="m-194.17 412.01h-28.827-28.827l14.414-24.965 14.414-24.965 14.414 24.965z"/>
+				</g>
+
+				<!-- Down arrow -->
+				<g id="down-arrow" transform="translate(-279.22 -208.12)">
+					<path transform="matrix(.22413 0 0 -.12089 335.67 257.93)" stroke-width="0" d="m-194.17 412.01h-28.827-28.827l14.414-24.965 14.414-24.965 14.414 24.965z"/>
+				</g>
+			</defs>
+		</svg>
+
+		<header>
+			<h1>
+				{{range $i, $crumb := .Breadcrumbs}}<a href="{{html $crumb.Link}}">{{html $crumb.Text}}</a>{{if ne $i 0}}/{{end}}{{end}}
+			</h1>
+		</header>
+		<main>
+			<div class="meta">
+				<div id="summary">
+					<span class="meta-item"><b>{{.NumDirs}}</b> director{{if eq 1 .NumDirs}}y{{else}}ies{{end}}</span>
+					<span class="meta-item"><b>{{.NumFiles}}</b> file{{if ne 1 .NumFiles}}s{{end}}</span>
+					{{- if ne 0 .ItemsLimitedTo}}
+					<span class="meta-item">(of which only <b>{{.ItemsLimitedTo}}</b> are displayed)</span>
+					{{- end}}
+					<span class="meta-item"><input type="text" placeholder="filter" id="filter" onkeyup='filter()'></span>
+				</div>
+			</div>
+			<div class="listing">
+				<table aria-describedby="summary">
+					<thead>
+					<tr>
+						<th></th>
+						<th>
+							{{- if and (eq .Sort "namedirfirst") (ne .Order "desc")}}
+							<a href="?sort=namedirfirst&order=desc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}" class="icon"><svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#up-arrow"></use></svg></a>
+							{{- else if and (eq .Sort "namedirfirst") (ne .Order "asc")}}
+							<a href="?sort=namedirfirst&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}" class="icon"><svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#down-arrow"></use></svg></a>
+							{{- else}}
+							<a href="?sort=namedirfirst&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}" class="icon sort"><svg class="top" width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#up-arrow"></use></svg><svg class="bottom" width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#down-arrow"></use></svg></a>
+							{{- end}}
+							
+							{{- if and (eq .Sort "name") (ne .Order "desc")}}
+							<a href="?sort=name&order=desc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Name <svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#up-arrow"></use></svg></a>
+							{{- else if and (eq .Sort "name") (ne .Order "asc")}}
+							<a href="?sort=name&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Name <svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#down-arrow"></use></svg></a>
+							{{- else}}
+							<a href="?sort=name&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Name</a>
+							{{- end}}
+						</th>
+						<th>
+							{{- if and (eq .Sort "size") (ne .Order "desc")}}
+							<a href="?sort=size&order=desc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Size <svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#up-arrow"></use></svg></a>
+							{{- else if and (eq .Sort "size") (ne .Order "asc")}}
+							<a href="?sort=size&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Size <svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#down-arrow"></use></svg></a>
+							{{- else}}
+							<a href="?sort=size&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Size</a>
+							{{- end}}
+						</th>
+						<th class="hideable">
+							{{- if and (eq .Sort "time") (ne .Order "desc")}}
+							<a href="?sort=time&order=desc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Modified <svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#up-arrow"></use></svg></a>
+							{{- else if and (eq .Sort "time") (ne .Order "asc")}}
+							<a href="?sort=time&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Modified <svg width="1em" height=".5em" version="1.1" viewBox="0 0 12.922194 6.0358899"><use xlink:href="#down-arrow"></use></svg></a>
+							{{- else}}
+							<a href="?sort=time&order=asc{{if ne 0 .ItemsLimitedTo}}&limit={{.ItemsLimitedTo}}{{end}}">Modified</a>
+							{{- end}}
+						</th>
+						<th class="hideable"></th>
+					</tr>
+					</thead>
+					<tbody>
+					{{- if .CanGoUp}}
+					<tr>
+						<td></td>
+						<td>
+							<a href="..">
+								<span class="goup">Go up</span>
+							</a>
+						</td>
+						<td>&mdash;</td>
+						<td class="hideable">&mdash;</td>
+						<td class="hideable"></td>
+					</tr>
+					{{- end}}
+					{{- range .Items}}
+					<tr class="file">
+						<td></td>
+						<td>
+							<a href="{{html .URL}}">
+								{{- if .IsDir}}
+								<svg width="1.5em" height="1em" version="1.1" viewBox="0 0 317 259"><use xlink:href="#folder{{if .IsSymlink}}-shortcut{{end}}"></use></svg>
+								{{- else}}
+								<svg width="1.5em" height="1em" version="1.1" viewBox="0 0 265 323"><use xlink:href="#file{{if .IsSymlink}}-shortcut{{end}}"></use></svg>
+								{{- end}}
+								<span class="name">{{html .Name}}</span>
+							</a>
+						</td>
+						{{- if .IsDir}}
+						<td data-order="-1">&mdash;</td>
+						{{- else}}
+						<td data-order="{{.Size}}">{{.HumanSize}}</td>
+						{{- end}}
+						<td class="hideable"><time datetime="{{.HumanModTime "2006-01-02T15:04:05Z"}}">{{.HumanModTime "01/02/2006 03:04:05 PM -07:00"}}</time></td>
+						<td class="hideable"></td>
+					</tr>
+					{{- end}}
+					</tbody>
+				</table>
+			</div>
+		</main>
+		<footer>
+			Served with <a rel="noopener noreferrer" href="https://caddyserver.com">Caddy</a>
+		</footer>
+		<script>
+			var filterEl = document.getElementById('filter');
+			filterEl.focus();
+
+			function filter() {
+				var q = filterEl.value.trim().toLowerCase();
+				var elems = document.querySelectorAll('tr.file');
+				elems.forEach(function(el) {
+					if (!q) {
+						el.style.display = '';
+						return;
+					}
+					var nameEl = el.querySelector('.name');
+					var nameVal = nameEl.textContent.trim().toLowerCase();
+					if (nameVal.indexOf(q) !== -1) {
+						el.style.display = '';
+					} else {
+						el.style.display = 'none';
+					}
+				});
+			}
+
+			function localizeDatetime(e, index, ar) {
+				if (e.textContent === undefined) {
+					return;
+				}
+				var d = new Date(e.getAttribute('datetime'));
+				if (isNaN(d)) {
+					d = new Date(e.textContent);
+					if (isNaN(d)) {
+						return;
+					}
+				}
+				e.textContent = d.toLocaleString([], {day: "2-digit", month: "2-digit", year: "numeric", hour: "2-digit", minute: "2-digit", second: "2-digit"});
+			}
+			var timeList = Array.prototype.slice.call(document.getElementsByTagName("time"));
+			timeList.forEach(localizeDatetime);
+		</script>
+	</body>
+</html>`
diff --git a/modules/caddyhttp/fileserver/matcher.go b/modules/caddyhttp/fileserver/matcher.go
new file mode 100644
index 0000000..fd994d0
--- /dev/null
+++ b/modules/caddyhttp/fileserver/matcher.go
@@ -0,0 +1,57 @@
+package fileserver
+
+import (
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"bitbucket.org/lightcodelabs/caddy2"
+	"bitbucket.org/lightcodelabs/caddy2/modules/caddyhttp"
+)
+
+func init() {
+	caddy2.RegisterModule(caddy2.Module{
+		Name: "http.matchers.file",
+		New:  func() (interface{}, error) { return new(FileMatcher), nil },
+	})
+}
+
+// FileMatcher is a matcher that can match requests
+// based on the local file system.
+// TODO: Not sure how to do this well; we'd need the ability to
+// hide files, etc...
+// TODO: Also consider a feature to match directory that
+// contains a certain filename (use filepath.Glob), useful
+// if wanting to map directory-URI requests where the dir
+// has index.php to PHP backends, for example (although this
+// can effectively be done with rehandling already)
+type FileMatcher struct {
+	Root  string   `json:"root"`
+	Path  string   `json:"path"`
+	Flags []string `json:"flags"`
+}
+
+// Match matches the request r against m.
+func (m FileMatcher) Match(r *http.Request) bool {
+	// TODO: sanitize path
+	fullPath := filepath.Join(m.Root, m.Path)
+	var match bool
+	if len(m.Flags) > 0 {
+		match = true
+		fi, err := os.Stat(fullPath)
+		for _, f := range m.Flags {
+			switch f {
+			case "EXIST":
+				match = match && os.IsNotExist(err)
+			case "DIR":
+				match = match && err == nil && fi.IsDir()
+			default:
+				match = false
+			}
+		}
+	}
+	return match
+}
+
+// Interface guard
+var _ caddyhttp.RequestMatcher = (*FileMatcher)(nil)
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
new file mode 100644
index 0000000..e859abe
--- /dev/null
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -0,0 +1,416 @@
+package fileserver
+
+import (
+	"fmt"
+	"html/template"
+	weakrand "math/rand"
+	"net/http"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"time"
+
+	"bitbucket.org/lightcodelabs/caddy2"
+	"bitbucket.org/lightcodelabs/caddy2/modules/caddyhttp"
+)
+
+func init() {
+	weakrand.Seed(time.Now().UnixNano())
+
+	caddy2.RegisterModule(caddy2.Module{
+		Name: "http.responders.file_server",
+		New:  func() (interface{}, error) { return new(FileServer), nil },
+	})
+}
+
+// FileServer implements a static file server responder for Caddy.
+type FileServer struct {
+	Root            string              `json:"root"` // default is current directory
+	Hide            []string            `json:"hide"`
+	IndexNames      []string            `json:"index_names"`
+	Files           []string            `json:"files"`    // all relative to the root; default is request URI path
+	Rehandle        bool                `json:"rehandle"` // issue a rehandle (internal redirect) if request is rewritten
+	SelectionPolicy string              `json:"selection_policy"`
+	Fallback        caddyhttp.RouteList `json:"fallback"`
+	Browse          *Browse             `json:"browse"`
+	// TODO: Etag
+	// TODO: Content negotiation
+}
+
+// Provision sets up the static files responder.
+func (fsrv *FileServer) Provision(ctx caddy2.Context) error {
+	if fsrv.Fallback != nil {
+		err := fsrv.Fallback.Provision(ctx)
+		if err != nil {
+			return fmt.Errorf("setting up fallback routes: %v", err)
+		}
+	}
+
+	if fsrv.IndexNames == nil {
+		fsrv.IndexNames = defaultIndexNames
+	}
+
+	if fsrv.Browse != nil {
+		var tpl *template.Template
+		var err error
+		if fsrv.Browse.TemplateFile != "" {
+			tpl, err = template.ParseFiles(fsrv.Browse.TemplateFile)
+			if err != nil {
+				return fmt.Errorf("parsing browse template file: %v", err)
+			}
+		} else {
+			tpl, err = template.New("default_listing").Parse(defaultBrowseTemplate)
+			if err != nil {
+				return fmt.Errorf("parsing default browse template: %v", err)
+			}
+		}
+		fsrv.Browse.template = tpl
+	}
+
+	return nil
+}
+
+const (
+	selectionPolicyFirstExisting = "first_existing"
+	selectionPolicyLargestSize   = "largest_size"
+	selectionPolicySmallestSize  = "smallest_size"
+	selectionPolicyRecentlyMod   = "most_recently_modified"
+)
+
+// Validate ensures that sf has a valid configuration.
+func (fsrv *FileServer) Validate() error {
+	switch fsrv.SelectionPolicy {
+	case "",
+		selectionPolicyFirstExisting,
+		selectionPolicyLargestSize,
+		selectionPolicySmallestSize,
+		selectionPolicyRecentlyMod:
+	default:
+		return fmt.Errorf("unknown selection policy %s", fsrv.SelectionPolicy)
+	}
+	return nil
+}
+
+func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) error {
+	repl := r.Context().Value(caddy2.ReplacerCtxKey).(caddy2.Replacer)
+
+	filesToHide := fsrv.transformHidePaths(repl)
+
+	// map the request to a filename
+	pathBefore := r.URL.Path
+	filename := fsrv.selectFile(r, repl, filesToHide)
+	if filename == "" {
+		// no files worked, so resort to fallback
+		if fsrv.Fallback != nil {
+			fallback := fsrv.Fallback.BuildCompositeRoute(w, r)
+			return fallback.ServeHTTP(w, r)
+		}
+		return caddyhttp.Error(http.StatusNotFound, nil)
+	}
+
+	// if the ultimate destination has changed, submit
+	// this request for a rehandling (internal redirect)
+	// if configured to do so
+	if r.URL.Path != pathBefore && fsrv.Rehandle {
+		return caddyhttp.ErrRehandle
+	}
+
+	// get information about the file
+	info, err := os.Stat(filename)
+	if err != nil {
+		err = mapDirOpenError(err, filename)
+		if os.IsNotExist(err) {
+			return caddyhttp.Error(http.StatusNotFound, err)
+		} else if os.IsPermission(err) {
+			return caddyhttp.Error(http.StatusForbidden, err)
+		}
+		// TODO: treat this as resource exhaustion like with os.Open? Or unnecessary here?
+		return caddyhttp.Error(http.StatusInternalServerError, err)
+	}
+
+	// if the request mapped to a directory, see if
+	// there is an index file we can serve
+	if info.IsDir() && len(fsrv.IndexNames) > 0 {
+		for _, indexPage := range fsrv.IndexNames {
+			indexPath := sanitizedPathJoin(filename, indexPage)
+			if fileHidden(indexPath, filesToHide) {
+				// pretend this file doesn't exist
+				continue
+			}
+
+			indexInfo, err := os.Stat(indexPath)
+			if err != nil {
+				continue
+			}
+
+			// we found an index file that might work,
+			// so rewrite the request path and, if
+			// configured, do an internal redirect
+			r.URL.Path = path.Join(r.URL.Path, indexPage)
+			if fsrv.Rehandle {
+				return caddyhttp.ErrRehandle
+			}
+
+			info = indexInfo
+			filename = indexPath
+			break
+		}
+	}
+
+	// if still referencing a directory, delegate
+	// to browse or return an error
+	if info.IsDir() {
+		if fsrv.Browse != nil && !fileHidden(filename, filesToHide) {
+			return fsrv.serveBrowse(filename, w, r)
+		}
+		return caddyhttp.Error(http.StatusNotFound, nil)
+	}
+
+	// TODO: content negotiation (brotli sidecar files, etc...)
+
+	// one last check to ensure the file isn't hidden (we might
+	// have changed the filename from when we last checked)
+	if fileHidden(filename, filesToHide) {
+		return caddyhttp.Error(http.StatusNotFound, nil)
+	}
+
+	// open the file
+	file, err := fsrv.openFile(filename, w)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	// TODO: Etag
+
+	// TODO: Disable content-type sniffing by setting a content-type...
+
+	// let the standard library do what it does best; note, however,
+	// that errors generated by ServeContent are written immediately
+	// to the response, so we cannot handle them (but errors here
+	// are rare)
+	http.ServeContent(w, r, info.Name(), info.ModTime(), file)
+
+	return nil
+}
+
+// openFile opens the file at the given filename. If there was an error,
+// the response is configured to inform the client how to best handle it
+// and a well-described handler error is returned (do not wrap the
+// returned error value).
+func (fsrv *FileServer) openFile(filename string, w http.ResponseWriter) (*os.File, error) {
+	file, err := os.Open(filename)
+	if err != nil {
+		err = mapDirOpenError(err, filename)
+		if os.IsNotExist(err) {
+			return nil, caddyhttp.Error(http.StatusNotFound, err)
+		} else if os.IsPermission(err) {
+			return nil, caddyhttp.Error(http.StatusForbidden, err)
+		}
+		// maybe the server is under load and ran out of file descriptors?
+		// have client wait arbitrary seconds to help prevent a stampede
+		backoff := weakrand.Intn(maxBackoff-minBackoff) + minBackoff
+		w.Header().Set("Retry-After", strconv.Itoa(backoff))
+		return nil, caddyhttp.Error(http.StatusServiceUnavailable, err)
+	}
+	return file, nil
+}
+
+// mapDirOpenError maps the provided non-nil error from opening name
+// to a possibly better non-nil error. In particular, it turns OS-specific errors
+// about opening files in non-directories into os.ErrNotExist. See golang/go#18984.
+// Adapted from the Go standard library; originally written by Nathaniel Caza.
+// https://go-review.googlesource.com/c/go/+/36635/
+// https://go-review.googlesource.com/c/go/+/36804/
+func mapDirOpenError(originalErr error, name string) error {
+	if os.IsNotExist(originalErr) || os.IsPermission(originalErr) {
+		return originalErr
+	}
+
+	parts := strings.Split(name, string(filepath.Separator))
+	for i := range parts {
+		if parts[i] == "" {
+			continue
+		}
+		fi, err := os.Stat(strings.Join(parts[:i+1], string(filepath.Separator)))
+		if err != nil {
+			return originalErr
+		}
+		if !fi.IsDir() {
+			return os.ErrNotExist
+		}
+	}
+
+	return originalErr
+}
+
+// transformHidePaths performs replacements for all the elements of
+// fsrv.Hide and returns a new list of the transformed values.
+func (fsrv *FileServer) transformHidePaths(repl caddy2.Replacer) []string {
+	hide := make([]string, len(fsrv.Hide))
+	for i := range fsrv.Hide {
+		hide[i] = repl.ReplaceAll(fsrv.Hide[i], "")
+	}
+	return hide
+}
+
+// sanitizedPathJoin performs filepath.Join(root, reqPath) that
+// is safe against directory traversal attacks. It uses logic
+// similar to that in the Go standard library, specifically
+// in the implementation of http.Dir. The root is assumed to
+// be a trusted path, but reqPath is not.
+func sanitizedPathJoin(root, reqPath string) string {
+	// TODO: Caddy 1 uses this:
+	// prevent absolute path access on Windows, e.g. http://localhost:5000/C:\Windows\notepad.exe
+	// if runtime.GOOS == "windows" && len(reqPath) > 0 && filepath.IsAbs(reqPath[1:]) {
+	// TODO.
+	// }
+
+	// TODO: whereas std lib's http.Dir.Open() uses this:
+	// if filepath.Separator != '/' && strings.ContainsRune(name, filepath.Separator) {
+	// 	return nil, errors.New("http: invalid character in file path")
+	// }
+
+	// TODO: see https://play.golang.org/p/oh77BiVQFti for another thing to consider
+
+	if root == "" {
+		root = "."
+	}
+	return filepath.Join(root, filepath.FromSlash(path.Clean("/"+reqPath)))
+}
+
+// selectFile uses the specified selection policy (or first_existing
+// by default) to map the request r to a filename. The full path to
+// the file is returned if one is found; otherwise, an empty string
+// is returned.
+func (fsrv *FileServer) selectFile(r *http.Request, repl caddy2.Replacer, filesToHide []string) string {
+	root := repl.ReplaceAll(fsrv.Root, "")
+
+	if fsrv.Files == nil {
+		return sanitizedPathJoin(root, r.URL.Path)
+	}
+
+	switch fsrv.SelectionPolicy {
+	case "", selectionPolicyFirstExisting:
+		filesToHide := fsrv.transformHidePaths(repl)
+		for _, f := range fsrv.Files {
+			suffix := repl.ReplaceAll(f, "")
+			fullpath := sanitizedPathJoin(root, suffix)
+			if !fileHidden(fullpath, filesToHide) && fileExists(fullpath) {
+				r.URL.Path = suffix
+				return fullpath
+			}
+		}
+
+	case selectionPolicyLargestSize:
+		var largestSize int64
+		var largestFilename string
+		var largestSuffix string
+		for _, f := range fsrv.Files {
+			suffix := repl.ReplaceAll(f, "")
+			fullpath := sanitizedPathJoin(root, suffix)
+			if fileHidden(fullpath, filesToHide) {
+				continue
+			}
+			info, err := os.Stat(fullpath)
+			if err == nil && info.Size() > largestSize {
+				largestSize = info.Size()
+				largestFilename = fullpath
+				largestSuffix = suffix
+			}
+		}
+		r.URL.Path = largestSuffix
+		return largestFilename
+
+	case selectionPolicySmallestSize:
+		var smallestSize int64
+		var smallestFilename string
+		var smallestSuffix string
+		for _, f := range fsrv.Files {
+			suffix := repl.ReplaceAll(f, "")
+			fullpath := sanitizedPathJoin(root, suffix)
+			if fileHidden(fullpath, filesToHide) {
+				continue
+			}
+			info, err := os.Stat(fullpath)
+			if err == nil && (smallestSize == 0 || info.Size() < smallestSize) {
+				smallestSize = info.Size()
+				smallestFilename = fullpath
+				smallestSuffix = suffix
+			}
+		}
+		r.URL.Path = smallestSuffix
+		return smallestFilename
+
+	case selectionPolicyRecentlyMod:
+		var recentDate time.Time
+		var recentFilename string
+		var recentSuffix string
+		for _, f := range fsrv.Files {
+			suffix := repl.ReplaceAll(f, "")
+			fullpath := sanitizedPathJoin(root, suffix)
+			if fileHidden(fullpath, filesToHide) {
+				continue
+			}
+			info, err := os.Stat(fullpath)
+			if err == nil &&
+				(recentDate.IsZero() || info.ModTime().After(recentDate)) {
+				recentDate = info.ModTime()
+				recentFilename = fullpath
+				recentSuffix = suffix
+			}
+		}
+		r.URL.Path = recentSuffix
+		return recentFilename
+	}
+
+	return ""
+}
+
+// fileExists returns true if file exists.
+func fileExists(file string) bool {
+	_, err := os.Stat(file)
+	return !os.IsNotExist(err)
+}
+
+// fileHidden returns true if filename is hidden
+// according to the hide list.
+func fileHidden(filename string, hide []string) bool {
+	nameOnly := filepath.Base(filename)
+	sep := string(filepath.Separator)
+
+	// see if file is hidden
+	for _, h := range hide {
+		// assuming h is a glob/shell-like pattern,
+		// use it to compare the whole file path;
+		// but if there is no separator in h, then
+		// just compare against the file's name
+		compare := filename
+		if !strings.Contains(h, sep) {
+			compare = nameOnly
+		}
+
+		hidden, err := filepath.Match(h, compare)
+		if err != nil {
+			// malformed pattern; fallback by checking prefix
+			if strings.HasPrefix(filename, h) {
+				return true
+			}
+		}
+		if hidden {
+			// file name or path matches hide pattern
+			return true
+		}
+	}
+
+	return false
+}
+
+var defaultIndexNames = []string{"index.html"}
+
+const minBackoff, maxBackoff = 2, 5
+
+// Interface guard
+var _ caddyhttp.Handler = (*FileServer)(nil)
diff --git a/modules/caddyhttp/fileserver/staticfiles_test.go b/modules/caddyhttp/fileserver/staticfiles_test.go
new file mode 100644
index 0000000..2a99c71
--- /dev/null
+++ b/modules/caddyhttp/fileserver/staticfiles_test.go
@@ -0,0 +1,81 @@
+package fileserver
+
+import (
+	"net/url"
+	"testing"
+)
+
+func TestSanitizedPathJoin(t *testing.T) {
+	// For easy reference:
+	// %2E = .
+	// %2F = /
+	// %5C = \
+	for i, tc := range []struct {
+		inputRoot string
+		inputPath string
+		expect    string
+	}{
+		{
+			inputPath: "",
+			expect:    ".",
+		},
+		{
+			inputPath: "/",
+			expect:    ".",
+		},
+		{
+			inputPath: "/foo",
+			expect:    "foo",
+		},
+		{
+			inputPath: "/foo/bar",
+			expect:    "foo/bar",
+		},
+		{
+			inputRoot: "/a",
+			inputPath: "/foo/bar",
+			expect:    "/a/foo/bar",
+		},
+		{
+			inputPath: "/foo/../bar",
+			expect:    "bar",
+		},
+		{
+			inputRoot: "/a/b",
+			inputPath: "/foo/../bar",
+			expect:    "/a/b/bar",
+		},
+		{
+			inputRoot: "/a/b",
+			inputPath: "/..%2fbar",
+			expect:    "/a/b/bar",
+		},
+		{
+			inputRoot: "/a/b",
+			inputPath: "/%2e%2e%2fbar",
+			expect:    "/a/b/bar",
+		},
+		{
+			inputRoot: "/a/b",
+			inputPath: "/%2e%2e%2f%2e%2e%2f",
+			expect:    "/a/b",
+		},
+		// TODO: test windows paths... on windows... sigh.
+	} {
+		// we don't *need* to use an actual parsed URL, but it
+		// adds some authenticity to the tests since real-world
+		// values will be coming in from URLs; thus, the test
+		// corpus can contain paths as encoded by clients, which
+		// more closely emulates the actual attack vector
+		u, err := url.Parse("http://test:9999" + tc.inputPath)
+		if err != nil {
+			t.Fatalf("Test %d: invalid URL: %v", i, err)
+		}
+		actual := sanitizedPathJoin(tc.inputRoot, u.Path)
+		if actual != tc.expect {
+			t.Errorf("Test %d: [%s %s] => %s (expected %s)", i, tc.inputRoot, tc.inputPath, actual, tc.expect)
+		}
+	}
+}
+
+// TODO: test fileHidden
author	Matthew Holt <mholt@users.noreply.github.com>	2019-05-20 21:21:33 -0600
committer	Matthew Holt <mholt@users.noreply.github.com>	2019-05-20 21:21:33 -0600
commit	a9698728506c580bc38db2e122a5e6ef07f85ce6 (patch)
tree	a583112f114fc01e09867aa123578861637b04d5 /modules/caddyhttp/fileserver
parent	aaacab1bc3790e3a207ae5d70ca6559cac265bff (diff)