This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "snap-core".
The branch, 0.2-stable has been updated
via dcd9993a0fb32493e7861d261c0814cc03fc12ce (commit)
from e3f79bfa09324cf789e3726773516722adea291a (commit)
Summary of changes:
src/Snap/Util/FileServe.hs | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dcd9993a0fb32493e7861d261c0814cc03fc12ce
Author: Carl Howells <[email protected]>
Date: Wed Nov 10 11:52:48 2010 -0800
Fix Snap.Util.FileServe.getSafePath to reject non-relative paths
diff --git a/src/Snap/Util/FileServe.hs b/src/Snap/Util/FileServe.hs
index bd8222b..8c6e3dc 100644
--- a/src/Snap/Util/FileServe.hs
+++ b/src/Snap/Util/FileServe.hs
@@ -172,10 +172,14 @@ getSafePath = do
req <- getRequest
let p = S.unpack $ rqPathInfo req
+ -- relative paths only!
+ when (not $ isRelative p) pass
+
-- check that we don't have any sneaky .. paths
let dirs = splitDirectories p
when (elem ".." dirs) pass
- return p
+
+ return $ joinPath dirs
------------------------------------------------------------------------------
-----------------------------------------------------------------------
hooks/post-receive
--
snap-core
_______________________________________________
Snap mailing list
[email protected]
http://mailman-mail5.webfaction.com/listinfo/snap
