mirror of
https://github.com/actix/actix-web.git
synced 2024-11-29 13:01:09 +00:00
prevent drive traversal in windows
This commit is contained in:
parent
5454699bab
commit
1bd2076b35
1 changed files with 29 additions and 1 deletions
|
@ -59,6 +59,8 @@ impl PathBufWrap {
|
||||||
continue;
|
continue;
|
||||||
} else if cfg!(windows) && segment.contains('\\') {
|
} else if cfg!(windows) && segment.contains('\\') {
|
||||||
return Err(UriSegmentError::BadChar('\\'));
|
return Err(UriSegmentError::BadChar('\\'));
|
||||||
|
} else if cfg!(windows) && segment.contains(':') {
|
||||||
|
return Err(UriSegmentError::BadChar(':'));
|
||||||
} else {
|
} else {
|
||||||
buf.push(segment)
|
buf.push(segment)
|
||||||
}
|
}
|
||||||
|
@ -66,7 +68,11 @@ impl PathBufWrap {
|
||||||
|
|
||||||
// make sure we agree with stdlib parser
|
// make sure we agree with stdlib parser
|
||||||
for (i, component) in buf.components().enumerate() {
|
for (i, component) in buf.components().enumerate() {
|
||||||
assert!(matches!(component, Component::Normal(_)));
|
assert!(
|
||||||
|
matches!(component, Component::Normal(_)),
|
||||||
|
"component `{:?}` is not normal",
|
||||||
|
component
|
||||||
|
);
|
||||||
assert!(i < segment_count);
|
assert!(i < segment_count);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -159,4 +165,26 @@ mod tests {
|
||||||
PathBuf::from_iter(vec!["etc/passwd"])
|
PathBuf::from_iter(vec!["etc/passwd"])
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[test]
|
||||||
|
#[cfg_attr(windows, should_panic)]
|
||||||
|
fn windows_drive_traversal() {
|
||||||
|
// detect issues in windows that could lead to path traversal
|
||||||
|
// see <https://github.com/SergioBenitez/Rocket/issues/1949
|
||||||
|
|
||||||
|
assert_eq!(
|
||||||
|
PathBufWrap::parse_path("C:test.txt", false).unwrap().0,
|
||||||
|
PathBuf::from_iter(vec!["C:test.txt"])
|
||||||
|
);
|
||||||
|
|
||||||
|
assert_eq!(
|
||||||
|
PathBufWrap::parse_path("C:../whatever", false).unwrap().0,
|
||||||
|
PathBuf::from_iter(vec!["C:../whatever"])
|
||||||
|
);
|
||||||
|
|
||||||
|
assert_eq!(
|
||||||
|
PathBufWrap::parse_path(":test.txt", false).unwrap().0,
|
||||||
|
PathBuf::from_iter(vec![":test.txt"])
|
||||||
|
);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue