mirror of
https://github.com/caddyserver/caddy.git
synced 2025-05-28 14:45:49 +08:00
fileserver: properly handle escaped/non-ascii paths (#4332)
* fileserver: properly handle escaped/non-ascii paths * fileserver: tests: accommodate Windows hate of colons in files names
This commit is contained in:

committed by
GitHub

parent
2ebfda1ae9
commit
33c70f418f
@ -19,6 +19,7 @@ import (
|
||||
weakrand "math/rand"
|
||||
"mime"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"path"
|
||||
"path/filepath"
|
||||
@ -165,6 +166,16 @@ func (fsrv *FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request, next c
|
||||
filesToHide := fsrv.transformHidePaths(repl)
|
||||
|
||||
root := repl.ReplaceAll(fsrv.Root, ".")
|
||||
// PathUnescape returns an error if the escapes aren't well-formed,
|
||||
// meaning the count % matches the RFC. Return early if the escape is
|
||||
// improper.
|
||||
if _, err := url.PathUnescape(r.URL.Path); err != nil {
|
||||
fsrv.logger.Debug("improper path escape",
|
||||
zap.String("site_root", root),
|
||||
zap.String("request_path", r.URL.Path),
|
||||
zap.Error(err))
|
||||
return err
|
||||
}
|
||||
filename := caddyhttp.SanitizedPathJoin(root, r.URL.Path)
|
||||
|
||||
fsrv.logger.Debug("sanitized path join",
|
||||
|
Reference in New Issue
Block a user