Fix malicious drive letter in path

stephank · Nov 30, 2022 · 1e40e31 · 1e40e31
1 parent fc00bdc
commit 1e40e31
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/src/util/requested_path.rs b/src/util/requested_path.rs
@@ -11,7 +11,14 @@ fn normalize_path(path: &Path) -> PathBuf {
     path.components()
         .fold(PathBuf::new(), |mut result, p| match p {
             Component::Normal(x) => {
-                result.push(x);
+                // Parse again to prevent a malicious component containing
+                // a Windows drive letter, e.g.: `/anypath/c:/windows/win.ini`
+                if Path::new(&x)
+                    .components()
+                    .all(|c| matches!(c, Component::Normal(_)))
+                {
+                    result.push(x);
+                }
                 result
             }
             Component::ParentDir => {

diff --git a/tests/static.rs b/tests/static.rs
@@ -408,3 +408,12 @@ async fn serves_requested_range_not_satisfiable_when_at_end() {
     let res = harness.request(req).await.unwrap();
     assert_eq!(res.status(), hyper::StatusCode::RANGE_NOT_SATISFIABLE);
 }
+
+#[cfg(target_os = "windows")]
+#[tokio::test]
+async fn ignore_windows_drive_letter() {
+    let harness = Harness::new(vec![("file1.html", "this is file1")]);
+
+    let res = harness.get("/c:/file1.html").await.unwrap();
+    assert_eq!(read_body(res).await, "this is file1");
+}