commit 4e7d09204fd9a8e4ea0ea0f8ebc244bcbd780c89
parent 972ecf8c1372d8b22d0ead0facdf33db80864185
Author: Johann150 <johann.galle@protonmail.com>
Date: Sat, 16 Jan 2021 13:22:56 +0100
only check path segments in URL
This will only check path segments specified in the request URL and not
path segments that are part of the path specified on the command line.
Otherwise if the content directory was (in) a hidden directory, or specified
with a relative path containing "." or ".." segments, nothing would be served.
Diffstat:
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/src/main.rs b/src/main.rs
@@ -178,20 +178,15 @@ async fn send_response(url: Url, stream: &mut TlsStream<TcpStream>) -> Result {
let mut path = std::path::PathBuf::from(&ARGS.content_dir);
if let Some(segments) = url.path_segments() {
for segment in segments {
+ if !ARGS.serve_secret && segment.starts_with('.') {
+ // Do not serve anything that looks like a hidden file.
+ return send_header(stream, 52, &["If I told you, it would not be a secret."])
+ .await;
+ }
path.push(&*percent_decode_str(segment).decode_utf8()?);
}
}
- // Do not serve anything that looks like a hidden file.
- if !ARGS.serve_secret
- && path
- .iter()
- .filter_map(|component| component.to_str())
- .any(|component| component.starts_with("."))
- {
- return send_header(stream, 52, &["If I told you, it would not be a secret."]).await;
- }
-
if let Ok(metadata) = tokio::fs::metadata(&path).await {
if metadata.is_dir() {
if url.path().ends_with('/') || url.path().is_empty() {
