💾 Archived View for rawtext.club › ~sloum › geminilist › 001692.gmi captured on 2020-11-07 at 02:24:11. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2020-09-24)
-=-=-=-=-=-=-
Jason McBrayer jmcbray at carcosa.net
Mon Jun 15 11:55:33 BST 2020
- - - - - - - - - - - - - - - - - - -
Sure. Originally, I took a very simplistic approach, just eating '../'whenever I saw it in a request. Unfortunately, it didn't handle a bare'..', which meant the parent directory of the document root waslistable. Worse, you could construct a request likegemini://my.site/.../...//.../...//etc/passwd to get whatever youwanted, as long as it was locally world-readable.
The fix normalizes all pathnames before looking for files, and it checksthat the resulting path is under the document root. I pulled in alibrary to help with this, which I originally wanted to avoid, butpathname handling in Common Lisp is pretty weird, and I felt the library(ppath) was worth it.
--+----------------------------------------------------------------+| Jason F. McBrayer jmcbray at carcosa.net || The scalloped tatters of the King in Yellow must hide Yhtill || forever. R.W. Chambers _The King in Yellow_ |