Do not handle static file requests for paths outside of *STATIC-FILES*.

author: Matthias Andreas Benkard <code@mail.matthias.benkard.de> 2011-03-12 16:07:32 +0100
committer: Matthias Andreas Benkard <code@mail.matthias.benkard.de> 2011-03-12 16:07:32 +0100
commit: 72397c80b3bee2239a7b076bcffa2c4e853f6182 (patch)
tree: 2232a46dcb822311b7f714d4f63c9b31ac7db75c /mulkcms-hunchentoot.lisp
parent: 9c1d0dd3041f1a062f2d9708c0dc6eaa7f089c80 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/mulkcms-hunchentoot.lisp b/mulkcms-hunchentoot.lisp
index 6c5e039..babcae3 100644
--- a/mulkcms-hunchentoot.lisp
+++ b/mulkcms-hunchentoot.lisp
@@ -5,11 +5,15 @@
   )
 
 (defun dispatch-static-file-request (request)
-  ;; FIXME Can use paths like "/../mulkcms.lisp" or "//boot/initrd.img".
-  ;; That's bad.
   (let* ((relative-path (subseq (script-name request) 1))
          (file (merge-pathnames relative-path *static-files*)))
-    (and (probe-file file) (lambda () (handle-static-file file)))))
+    (and (probe-file file)
+         ;; For security (otherwise paths like "/../mulkcms.lisp" or
+         ;; "//boot/initrd.img" would be handled by sending the
+         ;; requested file...):
+         (starts-with-subseq (namestring (truename *static-files*))
+                             (namestring (truename file)))
+         (lambda () (handle-static-file file)))))
 
 (defun dispatch-mulkcms-request (request)
   (let* ((relative-path (subseq (script-name request) 1)))
author	Matthias Andreas Benkard <code@mail.matthias.benkard.de>	2011-03-12 16:07:32 +0100
committer	Matthias Andreas Benkard <code@mail.matthias.benkard.de>	2011-03-12 16:07:32 +0100
commit	72397c80b3bee2239a7b076bcffa2c4e853f6182 (patch)
tree	2232a46dcb822311b7f714d4f63c9b31ac7db75c /mulkcms-hunchentoot.lisp
parent	9c1d0dd3041f1a062f2d9708c0dc6eaa7f089c80 (diff)