Harden static file server against path traversal
| Author | Mitja Felicijan <mitja.felicijan@gmail.com> | 2026-05-18 15:41:58 +0200 |
| Committer | Mitja Felicijan <mitja.felicijan@gmail.com> | 2026-05-18 15:41:58 +0200 |
| Commit | d561f62a2c0d3f6baa99c86d57dc20cacc1e31bc (patch) |
|
-rw-r--r-- |
http.c | 14 |
1 files changed, 9 insertions, 5 deletions
| diff --git a/http.c b/http.c | |||
| ... | |||
| 851 | 851 | ||
| 852 | static int l_http_static(lua_State *L) { |
852 | static int l_http_static(lua_State *L) { |
| 853 | const char *path = luaL_checkstring(L, 1); |
853 | const char *path = luaL_checkstring(L, 1); |
| 854 | char resolved[PATH_MAX]; |
||
| 855 | if (!realpath(path, resolved)) { |
||
| 856 | return luaL_error(L, "Could not resolve static directory: %s", path); |
||
| 857 | } |
||
| 854 | if (static_dir) { |
858 | if (static_dir) { |
| 855 | free(static_dir); |
859 | free(static_dir); |
| 856 | } |
860 | } |
| 857 | char resolved[PATH_MAX]; |
861 | // Remove trailing slash if present |
| 858 | if (realpath(path, resolved)) { |
862 | size_t len = strlen(resolved); |
| 859 | static_dir = strdup(resolved); |
863 | if (len > 1 && resolved[len - 1] == '/') { |
| 860 | } else { |
864 | resolved[len - 1] = '\0'; |
| 861 | static_dir = strdup(path); |
||
| 862 | } |
865 | } |
| 866 | static_dir = strdup(resolved); |
||
| 863 | return 0; |
867 | return 0; |
| 864 | } |
868 | } |
| 865 | 869 | ||
| ... | |||