1
0
Fork 0
mirror of https://github.com/actix/actix-web.git synced 2024-11-29 13:01:09 +00:00

prevent drive traversal in windows

This commit is contained in:
Rob Ede 2022-01-25 16:44:05 +00:00
parent 5454699bab
commit 1bd2076b35
No known key found for this signature in database
GPG key ID: 97C636207D3EF933

View file

@ -59,6 +59,8 @@ impl PathBufWrap {
continue; continue;
} else if cfg!(windows) && segment.contains('\\') { } else if cfg!(windows) && segment.contains('\\') {
return Err(UriSegmentError::BadChar('\\')); return Err(UriSegmentError::BadChar('\\'));
} else if cfg!(windows) && segment.contains(':') {
return Err(UriSegmentError::BadChar(':'));
} else { } else {
buf.push(segment) buf.push(segment)
} }
@ -66,7 +68,11 @@ impl PathBufWrap {
// make sure we agree with stdlib parser // make sure we agree with stdlib parser
for (i, component) in buf.components().enumerate() { for (i, component) in buf.components().enumerate() {
assert!(matches!(component, Component::Normal(_))); assert!(
matches!(component, Component::Normal(_)),
"component `{:?}` is not normal",
component
);
assert!(i < segment_count); assert!(i < segment_count);
} }
@ -159,4 +165,26 @@ mod tests {
PathBuf::from_iter(vec!["etc/passwd"]) PathBuf::from_iter(vec!["etc/passwd"])
); );
} }
#[test]
#[cfg_attr(windows, should_panic)]
fn windows_drive_traversal() {
// detect issues in windows that could lead to path traversal
// see <https://github.com/SergioBenitez/Rocket/issues/1949
assert_eq!(
PathBufWrap::parse_path("C:test.txt", false).unwrap().0,
PathBuf::from_iter(vec!["C:test.txt"])
);
assert_eq!(
PathBufWrap::parse_path("C:../whatever", false).unwrap().0,
PathBuf::from_iter(vec!["C:../whatever"])
);
assert_eq!(
PathBufWrap::parse_path(":test.txt", false).unwrap().0,
PathBuf::from_iter(vec![":test.txt"])
);
}
} }