This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "snap-core".
The branch, master has been updated
via fb21b10c56523b873622e231357c6735045b319d (commit)
from 65058003feee1f0d8a6e17eabef9b3d1826ab801 (commit)
Summary of changes:
src/Snap/Util/FileServe.hs | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fb21b10c56523b873622e231357c6735045b319d
Author: Carl Howells <[email protected]>
Date: Wed Nov 10 11:52:48 2010 -0800
Fix Snap.Util.FileServe.getSafePath to reject non-relative paths
diff --git a/src/Snap/Util/FileServe.hs b/src/Snap/Util/FileServe.hs
index 7a1d16c..8d98fce 100644
--- a/src/Snap/Util/FileServe.hs
+++ b/src/Snap/Util/FileServe.hs
@@ -172,10 +172,14 @@ getSafePath = do
req <- getRequest
let p = S.unpack $ rqPathInfo req
+ -- relative paths only!
+ when (not $ isRelative p) pass
+
-- check that we don't have any sneaky .. paths
let dirs = splitDirectories p
when (elem ".." dirs) pass
- return p
+
+ return $ joinPath dirs
------------------------------------------------------------------------------
-----------------------------------------------------------------------
hooks/post-receive
--
snap-core
_______________________________________________
Snap mailing list
[email protected]
http://mailman-mail5.webfaction.com/listinfo/snap
