Sure. Originally, I took a very simplistic approach, just eating '../' whenever I saw it in a request. Unfortunately, it didn't handle a bare '..', which meant the parent directory of the document root was listable. Worse, you could construct a request like gemini://my.site/.../...//.../...//etc/passwd to get whatever you wanted, as long as it was locally world-readable. The fix normalizes all pathnames before looking for files, and it checks that the resulting path is under the document root. I pulled in a library to help with this, which I originally wanted to avoid, but pathname handling in Common Lisp is pretty weird, and I felt the library (ppath) was worth it. -- +----------------------------------------------------------------+ | Jason F. McBrayer jmcbray at carcosa.net | | The scalloped tatters of the King in Yellow must hide Yhtill | | forever. R.W. Chambers _The King in Yellow_ |
---
Previous in thread (2 of 4): 🗣️ solderpunk (solderpunk (a) SDF.ORG)
Next in thread (4 of 4): 🗣️ solderpunk (solderpunk (a) SDF.ORG)