summaryrefslogtreecommitdiff
path: root/modules/caddyhttp/fileserver/staticfiles.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddyhttp/fileserver/staticfiles.go')
-rw-r--r--modules/caddyhttp/fileserver/staticfiles.go11
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index 592b317..3e096e1 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -19,6 +19,7 @@ import (
weakrand "math/rand"
"mime"
"net/http"
+ "net/url"
"os"
"path"
"path/filepath"
@@ -165,6 +166,16 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
filesToHide := fsrv.transformHidePaths(repl)
root := repl.ReplaceAll(fsrv.Root, ".")
+ // PathUnescape returns an error if the escapes aren't well-formed,
+ // meaning the count % matches the RFC. Return early if the escape is
+ // improper.
+ if _, err := url.PathUnescape(r.URL.Path); err != nil {
+ fsrv.logger.Debug("improper path escape",
+ zap.String("site_root", root),
+ zap.String("request_path", r.URL.Path),
+ zap.Error(err))
+ return err
+ }
filename := caddyhttp.SanitizedPathJoin(root, r.URL.Path)
fsrv.logger.Debug("sanitized path join",
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-06 09:13:40 +0000