Harden static file server against path traversal

Author Mitja Felicijan <mitja.felicijan@gmail.com> 2026-05-18 15:41:58 +0200
Committer Mitja Felicijan <mitja.felicijan@gmail.com> 2026-05-18 15:41:58 +0200
Commit d561f62a2c0d3f6baa99c86d57dc20cacc1e31bc (patch)
-rw-r--r-- http.c 14
1 files changed, 9 insertions, 5 deletions
diff --git a/http.c b/http.c
...
851
  
851
  
852
static int l_http_static(lua_State *L) {
852
static int l_http_static(lua_State *L) {
853
	const char *path = luaL_checkstring(L, 1);
853
	const char *path = luaL_checkstring(L, 1);
  
854
	char resolved[PATH_MAX];
  
855
	if (!realpath(path, resolved)) {
  
856
		return luaL_error(L, "Could not resolve static directory: %s", path);
  
857
	}
854
	if (static_dir) {
858
	if (static_dir) {
855
		free(static_dir);
859
		free(static_dir);
856
	}
860
	}
857
	char resolved[PATH_MAX];
861
	// Remove trailing slash if present
858
	if (realpath(path, resolved)) {
862
	size_t len = strlen(resolved);
859
		static_dir = strdup(resolved);
863
	if (len > 1 && resolved[len - 1] == '/') {
860
	} else {
864
		resolved[len - 1] = '\0';
861
		static_dir = strdup(path);
  
862
	}
865
	}
  
866
	static_dir = strdup(resolved);
863
	return 0;
867
	return 0;
864
}
868
}
865
  
869
  
...