Fixed Directory Traversal Vulnerability in HTTP::StaticFileHandler

crystal-lang · Jan 13, 2016 · b2b2d93 · b2b2d93
1 parent f364e3e
commit b2b2d93
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 11 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.10.2 (2016-01-13)
+
+* Fixed Directory Traversal Vulnerability in HTTP::StaticFileHandler (thanks @MakeNowJust)
+
 ## 0.10.1 (2016-01-08)
 
 * Added `Int#popcount` (thanks @rmosolgo)

diff --git a/src/file.cr b/src/file.cr
@@ -335,16 +335,14 @@ class File < IO::FileDescriptor
     end
 
     parts = path.split(SEPARATOR)
-    was_letter = false
-    first_slash = true
     items = [] of String
     parts.each do |part|
-      if part.empty? && !was_letter
-        items << part if !first_slash
-      elsif part == ".."
-        items.pop if items.size > 0
-      elsif !part.empty? && part != "."
-        was_letter = true
+      case part
+      when "", "."
+        # Nothing
+      when ".."
+        items.pop?
+      else
         items << part
       end
     end

diff --git a/src/http/server/handlers/static_file_handler.cr b/src/http/server/handlers/static_file_handler.cr
@@ -1,12 +1,15 @@
 require "ecr/macros"
+require "uri"
 
 class HTTP::StaticFileHandler < HTTP::Handler
-  def initialize(@publicdir)
+  def initialize(publicdir)
+    @publicdir = File.expand_path publicdir
   end
 
   def call(request)
-    request_path = request.path.not_nil!
-    file_path = @publicdir + request_path
+    request_path = URI.unescape(request.path.not_nil!)
+    expanded_path = File.expand_path(request_path, "/")
+    file_path = File.join(@publicdir, expanded_path)
     if Dir.exists?(file_path)
       HTTP::Response.new(200, directory_listing(request_path, file_path), HTTP::Headers{"Content-Type": "text/html"})
     elsif File.exists?(file_path)