From 72397c80b3bee2239a7b076bcffa2c4e853f6182 Mon Sep 17 00:00:00 2001
From: Matthias Andreas Benkard <code@mail.matthias.benkard.de>
Date: Sat, 12 Mar 2011 16:07:32 +0100
Subject: Do not handle static file requests for paths outside of
 *STATIC-FILES*.

---
 mulkcms-hunchentoot.lisp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'mulkcms-hunchentoot.lisp')

diff --git a/mulkcms-hunchentoot.lisp b/mulkcms-hunchentoot.lisp
index 6c5e039..babcae3 100644
--- a/mulkcms-hunchentoot.lisp
+++ b/mulkcms-hunchentoot.lisp
@@ -5,11 +5,15 @@
   )
 
 (defun dispatch-static-file-request (request)
-  ;; FIXME Can use paths like "/../mulkcms.lisp" or "//boot/initrd.img".
-  ;; That's bad.
   (let* ((relative-path (subseq (script-name request) 1))
          (file (merge-pathnames relative-path *static-files*)))
-    (and (probe-file file) (lambda () (handle-static-file file)))))
+    (and (probe-file file)
+         ;; For security (otherwise paths like "/../mulkcms.lisp" or
+         ;; "//boot/initrd.img" would be handled by sending the
+         ;; requested file...):
+         (starts-with-subseq (namestring (truename *static-files*))
+                             (namestring (truename file)))
+         (lambda () (handle-static-file file)))))
 
 (defun dispatch-mulkcms-request (request)
   (let* ((relative-path (subseq (script-name request) 1)))
-- 
cgit v1.2.3