aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_http_files.lua
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2016-01-07 15:37:47 +0000
committerMatthew Wild <mwild1@gmail.com>2016-01-07 15:37:47 +0000
commit759f20d3c8c6432bd01d14d705dbf04ef2a73af7 (patch)
tree96462213eb1c7ba0cae399a7098652b4fbdd9a2b /plugins/mod_http_files.lua
parent9df17387ef9ce78bd05d94ee7ccd4ef4599df910 (diff)
downloadprosody-759f20d3c8c6432bd01d14d705dbf04ef2a73af7.tar.gz
prosody-759f20d3c8c6432bd01d14d705dbf04ef2a73af7.zip
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Diffstat (limited to 'plugins/mod_http_files.lua')
-rw-r--r--plugins/mod_http_files.lua34
1 files changed, 33 insertions, 1 deletions
diff --git a/plugins/mod_http_files.lua b/plugins/mod_http_files.lua
index 9839fed9..6275cca5 100644
--- a/plugins/mod_http_files.lua
+++ b/plugins/mod_http_files.lua
@@ -49,6 +49,34 @@ if not mime_map then
end
end
+local forbidden_chars_pattern = "[/%z]";
+if prosody.platform == "windows" then
+ forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]"
+end
+
+local urldecode = require "util.http".urldecode;
+function sanitize_path(path)
+ local out = {};
+
+ local c = 0;
+ for component in path:gmatch("([^/]+)") do
+ component = urldecode(component);
+ if component:find(forbidden_chars_pattern) then
+ return nil;
+ elseif component == ".." then
+ if c <= 0 then
+ return nil;
+ end
+ out[c] = nil;
+ c = c - 1;
+ elseif component ~= "." then
+ c = c + 1;
+ out[c] = component;
+ end
+ end
+ return "/"..table.concat(out, "/");
+end
+
local cache = setmetatable({}, { __mode = "kv" }); -- Let the garbage collector have it if it wants to.
function serve(opts)
@@ -60,7 +88,11 @@ function serve(opts)
local directory_index = opts.directory_index;
local function serve_file(event, path)
local request, response = event.request, event.response;
- local orig_path = request.path;
+ path = sanitize_path(path);
+ if not path then
+ return 400;
+ end
+ local orig_path = sanitize_path(request.path);
local full_path = base_path .. (path and "/"..path or ""):gsub("/", path_sep);
local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows
if not attr then