Software / code / prosody
Annotate
plugins/mod_http_files.lua @ 12181:783056b4e448 0.11 0.11.12
util.xml: Do not allow doctypes, comments or processing instructions
Yes. This is as bad as it sounds. CVE pending.
In Prosody itself, this only affects mod_websocket, which uses util.xml
to parse the <open/> frame, thus allowing unauthenticated remote DoS
using Billion Laughs. However, third-party modules using util.xml may
also be affected by this.
This commit installs handlers which disallow the use of doctype
declarations and processing instructions without any escape hatch. It,
by default, also introduces such a handler for comments, however, there
is a way to enable comments nontheless.
This is because util.xml is used to parse human-facing data, where
comments are generally a desirable feature, and also because comments
are generally harmless.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Mon, 10 Jan 2022 18:23:54 +0100 |
| parent | 10776:8f3b87eaec49 |
| child | 10778:a62b981db0e2 |
| rev | line source |
|---|---|
|
1522
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1384
diff
changeset
|
1 -- Prosody IM |
|
2923
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2785
diff
changeset
|
2 -- Copyright (C) 2008-2010 Matthew Wild |
|
b7049746bd29
Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents:
2785
diff
changeset
|
3 -- Copyright (C) 2008-2010 Waqas Hussain |
|
5776
bd0ff8ae98a8
Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents:
5718
diff
changeset
|
4 -- |
|
1522
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1384
diff
changeset
|
5 -- This project is MIT/X11 licensed. Please see the |
|
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1384
diff
changeset
|
6 -- COPYING file in the source package for more information. |
|
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1384
diff
changeset
|
7 -- |
|
569d58d21612
Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents:
1384
diff
changeset
|
8 |
|
4670
bd5e5e23942a
mod_httpserver: Adapt to use the new HTTP API
Kim Alvefur <zash@zash.se>
parents:
3353
diff
changeset
|
9 module:depends("http"); |
|
5263
736e7ec8cd2e
mod_http_files: Replace file listing with an event, allowing a different plugin to generate it
Kim Alvefur <zash@zash.se>
parents:
5262
diff
changeset
|
10 local server = require"net.http.server"; |
|
3353
cd3cbf361f8f
mod_httpserver: Serve index.html if a request is made for a directory and it contains one (thanks Brian Cully)
Matthew Wild <mwild1@gmail.com>
parents:
2925
diff
changeset
|
11 local lfs = require "lfs"; |
|
635
25f1117d7886
Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
|
5235
e0373e0dd048
mod_http_files: Add Last-Modified header
Kim Alvefur <zash@zash.se>
parents:
5234
diff
changeset
|
13 local os_date = os.date; |
|
635
25f1117d7886
Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local open = io.open; |
|
3353
cd3cbf361f8f
mod_httpserver: Serve index.html if a request is made for a directory and it contains one (thanks Brian Cully)
Matthew Wild <mwild1@gmail.com>
parents:
2925
diff
changeset
|
15 local stat = lfs.attributes; |
|
5257
b125892e187c
mod_http_files: Escape paths in redirects
Kim Alvefur <zash@zash.se>
parents:
5256
diff
changeset
|
16 local build_path = require"socket.url".build_path; |
|
6030
9b91242cc137
mod_http_files: Strip path separator from end of paths, was broken on Windows (thanks Junne)
Kim Alvefur <zash@zash.se>
parents:
5716
diff
changeset
|
17 local path_sep = package.config:sub(1,1); |
|
635
25f1117d7886
Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
|
7991
35a02ba83af2
mod_http_files: Use path variant of config option API for http_files_dir
Kim Alvefur <zash@zash.se>
parents:
7985
diff
changeset
|
19 local base_path = module:get_option_path("http_files_dir", module:get_option_path("http_path")); |
|
7490
b75b08af7a78
mod_http_files: Switch to use util.cache for cache
Kim Alvefur <zash@zash.se>
parents:
7487
diff
changeset
|
20 local cache_size = module:get_option_number("http_files_cache_size", 128); |
|
7491
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
21 local cache_max_file_size = module:get_option_number("http_files_cache_max_file_size", 4096); |
|
7977
01d6298de991
plugins/various: Use type-specific config API
Kim Alvefur <zash@zash.se>
parents:
7491
diff
changeset
|
22 local dir_indices = module:get_option_array("http_index_files", { "index.html", "index.htm" }); |
|
5261
b14f02671439
mod_http_files: Rename config options and variable names
Kim Alvefur <zash@zash.se>
parents:
5260
diff
changeset
|
23 local directory_index = module:get_option_boolean("http_dir_listing"); |
|
635
25f1117d7886
Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
|
5716
8a0465de172e
mod_http_files: Put the MIME type map in a global shared table instead of per-host
Kim Alvefur <zash@zash.se>
parents:
5269
diff
changeset
|
25 local mime_map = module:shared("/*/http_files/mime").types; |
|
5237
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
26 if not mime_map then |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
27 mime_map = { |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
28 html = "text/html", htm = "text/html", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
29 xml = "application/xml", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
30 txt = "text/plain", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
31 css = "text/css", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
32 js = "application/javascript", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
33 png = "image/png", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
34 gif = "image/gif", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
35 jpeg = "image/jpeg", jpg = "image/jpeg", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
36 svg = "image/svg+xml", |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
37 }; |
|
5716
8a0465de172e
mod_http_files: Put the MIME type map in a global shared table instead of per-host
Kim Alvefur <zash@zash.se>
parents:
5269
diff
changeset
|
38 module:shared("/*/http_files/mime").types = mime_map; |
|
5237
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
39 |
|
7985
6521a51bb718
mod_http_files: Pass only the name of the path, get_option_path knows how to deal with it
Kim Alvefur <zash@zash.se>
parents:
7978
diff
changeset
|
40 local mime_types, err = open(module:get_option_path("mime_types_file", "/etc/mime.types", "config"), "r"); |
|
5237
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
41 if mime_types then |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
42 local mime_data = mime_types:read("*a"); |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
43 mime_types:close(); |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
44 setmetatable(mime_map, { |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
45 __index = function(t, ext) |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
46 local typ = mime_data:match("\n(%S+)[^\n]*%s"..(ext:lower()).."%s") or "application/octet-stream"; |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
47 t[ext] = typ; |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
48 return typ; |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
49 end |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
50 }); |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
51 end |
|
b1038f449e15
mod_http_files: Have mimetypes in a shared table. Get mimetypes from /etc/mime.types if exists.
Kim Alvefur <zash@zash.se>
parents:
5236
diff
changeset
|
52 end |
|
2771
c9834f338a4e
mod_httpserver: Return Content-Type header based on file extension.
Waqas Hussain <waqas20@gmail.com>
parents:
1870
diff
changeset
|
53 |
|
7058
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
54 local forbidden_chars_pattern = "[/%z]"; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
55 if prosody.platform == "windows" then |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
56 forbidden_chars_pattern = "[/%z\001-\031\127\"*:<>?|]" |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
57 end |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
58 |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
59 local urldecode = require "util.http".urldecode; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
60 function sanitize_path(path) |
|
7228
b5b7ae2901e6
mod_http_files: Fix traceback when serving a non-wildcard path (fixes #611)
Kim Alvefur <zash@zash.se>
parents:
7058
diff
changeset
|
61 if not path then return end |
|
7058
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
62 local out = {}; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
63 |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
64 local c = 0; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
65 for component in path:gmatch("([^/]+)") do |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
66 component = urldecode(component); |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
67 if component:find(forbidden_chars_pattern) then |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
68 return nil; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
69 elseif component == ".." then |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
70 if c <= 0 then |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
71 return nil; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
72 end |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
73 out[c] = nil; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
74 c = c - 1; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
75 elseif component ~= "." then |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
76 c = c + 1; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
77 out[c] = component; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
78 end |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
79 end |
|
7230
20246b139607
mod_http_files: Preserve a trailing / in paths (fixes #639)
Kim Alvefur <zash@zash.se>
parents:
7229
diff
changeset
|
80 if path:sub(-1,-1) == "/" then |
|
20246b139607
mod_http_files: Preserve a trailing / in paths (fixes #639)
Kim Alvefur <zash@zash.se>
parents:
7229
diff
changeset
|
81 out[c+1] = ""; |
|
20246b139607
mod_http_files: Preserve a trailing / in paths (fixes #639)
Kim Alvefur <zash@zash.se>
parents:
7229
diff
changeset
|
82 end |
|
7058
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
83 return "/"..table.concat(out, "/"); |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
84 end |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
85 |
|
7490
b75b08af7a78
mod_http_files: Switch to use util.cache for cache
Kim Alvefur <zash@zash.se>
parents:
7487
diff
changeset
|
86 local cache = require "util.cache".new(cache_size); |
|
5236
8d116a0cdacd
mod_http_files: Cache data read from disk in a weak table
Kim Alvefur <zash@zash.se>
parents:
5235
diff
changeset
|
87 |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
88 function serve(opts) |
|
5268
69964d1cbe66
mod_http_files: Allow passing a string to serve()
Kim Alvefur <zash@zash.se>
parents:
5265
diff
changeset
|
89 if type(opts) ~= "table" then -- assume path string |
|
69964d1cbe66
mod_http_files: Allow passing a string to serve()
Kim Alvefur <zash@zash.se>
parents:
5265
diff
changeset
|
90 opts = { path = opts }; |
|
69964d1cbe66
mod_http_files: Allow passing a string to serve()
Kim Alvefur <zash@zash.se>
parents:
5265
diff
changeset
|
91 end |
|
9462
6489d75ff1d6
mod_http_files: Silence luacheck warnings related to config variables
Kim Alvefur <zash@zash.se>
parents:
8757
diff
changeset
|
92 -- luacheck: ignore 431 |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
93 local base_path = opts.path; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
94 local dir_indices = opts.index_files or dir_indices; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
95 local directory_index = opts.directory_index; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
96 local function serve_file(event, path) |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
97 local request, response = event.request, event.response; |
|
7228
b5b7ae2901e6
mod_http_files: Fix traceback when serving a non-wildcard path (fixes #611)
Kim Alvefur <zash@zash.se>
parents:
7058
diff
changeset
|
98 local sanitized_path = sanitize_path(path); |
|
b5b7ae2901e6
mod_http_files: Fix traceback when serving a non-wildcard path (fixes #611)
Kim Alvefur <zash@zash.se>
parents:
7058
diff
changeset
|
99 if path and not sanitized_path then |
|
7058
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
100 return 400; |
|
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
101 end |
|
7228
b5b7ae2901e6
mod_http_files: Fix traceback when serving a non-wildcard path (fixes #611)
Kim Alvefur <zash@zash.se>
parents:
7058
diff
changeset
|
102 path = sanitized_path; |
|
7058
e9f07febafb3
mod_http_files: Santize the path relative to our base URL before translating it to a filesystem path, fixes a relative path traversal vulnerability
Matthew Wild <mwild1@gmail.com>
parents:
6873
diff
changeset
|
103 local orig_path = sanitize_path(request.path); |
|
7229
dcc8ed11173c
mod_http_files: Don't prepend / to path twice, sanitize path does this already
Kim Alvefur <zash@zash.se>
parents:
7228
diff
changeset
|
104 local full_path = base_path .. (path or ""):gsub("/", path_sep); |
|
6872
eb28067faadf
mod_http_files: Strip trailing directory separator regardless of directionality of the slash (fixes #545)
Kim Alvefur <zash@zash.se>
parents:
6030
diff
changeset
|
105 local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
106 if not attr then |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
107 return 404; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
108 end |
|
5248
13553f4132a8
mod_http_files: Compare If-Modified-Since to last modification date
Kim Alvefur <zash@zash.se>
parents:
5247
diff
changeset
|
109 |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
110 local request_headers, response_headers = request.headers, response.headers; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
111 |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
112 local last_modified = os_date('!%a, %d %b %Y %H:%M:%S GMT', attr.modification); |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
113 response_headers.last_modified = last_modified; |
|
5234
a9f0a1becc66
mod_http_files: Add ETag and check If-None-Match to allow client-side cache
Kim Alvefur <zash@zash.se>
parents:
5233
diff
changeset
|
114 |
|
10776
8f3b87eaec49
mod_http_files: Avoid using inode in etag, fix #1498
Kim Alvefur <zash@zash.se>
parents:
9463
diff
changeset
|
115 local etag = ('"%x-%x-%x"'):format(attr.change or 0, attr.size or 0, attr.modification or 0); |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
116 response_headers.etag = etag; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
117 |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
118 local if_none_match = request_headers.if_none_match |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
119 local if_modified_since = request_headers.if_modified_since; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
120 if etag == if_none_match |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
121 or (not if_none_match and last_modified == if_modified_since) then |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
122 return 304; |
|
4868
550f0a5e85c5
mod_http_files: Respond with a 301 redirect for directories to append a / (fixes relative links)
Kim Alvefur <zash@zash.se>
parents:
4722
diff
changeset
|
123 end |
|
550f0a5e85c5
mod_http_files: Respond with a 301 redirect for directories to append a / (fixes relative links)
Kim Alvefur <zash@zash.se>
parents:
4722
diff
changeset
|
124 |
|
7490
b75b08af7a78
mod_http_files: Switch to use util.cache for cache
Kim Alvefur <zash@zash.se>
parents:
7487
diff
changeset
|
125 local data = cache:get(orig_path); |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
126 if data and data.etag == etag then |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
127 response_headers.content_type = data.content_type; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
128 data = data.data; |
|
5264
700ff21a0451
mod_http_files: Work with non-wildcard-routes. Key cache on the original HTTP path.
Kim Alvefur <zash@zash.se>
parents:
5263
diff
changeset
|
129 elseif attr.mode == "directory" and path then |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
130 if full_path:sub(-1) ~= "/" then |
|
9463
f7530c846f98
mod_http_files: Rename variable to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
9462
diff
changeset
|
131 local dir_path = { is_absolute = true, is_directory = true }; |
|
f7530c846f98
mod_http_files: Rename variable to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
9462
diff
changeset
|
132 for dir in orig_path:gmatch("[^/]+") do dir_path[#dir_path+1]=dir; end |
|
f7530c846f98
mod_http_files: Rename variable to avoid name clash [luacheck]
Kim Alvefur <zash@zash.se>
parents:
9462
diff
changeset
|
133 response_headers.location = build_path(dir_path); |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
134 return 301; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
135 end |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
136 for i=1,#dir_indices do |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
137 if stat(full_path..dir_indices[i], "mode") == "file" then |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
138 return serve_file(event, path..dir_indices[i]); |
|
5238
0cc0359d8c39
mod_http_files: Generate simple directory index.
Kim Alvefur <zash@zash.se>
parents:
5237
diff
changeset
|
139 end |
|
0cc0359d8c39
mod_http_files: Generate simple directory index.
Kim Alvefur <zash@zash.se>
parents:
5237
diff
changeset
|
140 end |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
141 |
|
5263
736e7ec8cd2e
mod_http_files: Replace file listing with an event, allowing a different plugin to generate it
Kim Alvefur <zash@zash.se>
parents:
5262
diff
changeset
|
142 if directory_index then |
|
736e7ec8cd2e
mod_http_files: Replace file listing with an event, allowing a different plugin to generate it
Kim Alvefur <zash@zash.se>
parents:
5262
diff
changeset
|
143 data = server._events.fire_event("directory-index", { path = request.path, full_path = full_path }); |
|
736e7ec8cd2e
mod_http_files: Replace file listing with an event, allowing a different plugin to generate it
Kim Alvefur <zash@zash.se>
parents:
5262
diff
changeset
|
144 end |
|
736e7ec8cd2e
mod_http_files: Replace file listing with an event, allowing a different plugin to generate it
Kim Alvefur <zash@zash.se>
parents:
5262
diff
changeset
|
145 if not data then |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
146 return 403; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
147 end |
|
8757
861a7d6c12d8
mod_http_files: Correct cache insertion (fixes #1130)
Kim Alvefur <zash@zash.se>
parents:
7991
diff
changeset
|
148 cache:set(orig_path, { data = data, content_type = mime_map.html; etag = etag; }); |
|
5263
736e7ec8cd2e
mod_http_files: Replace file listing with an event, allowing a different plugin to generate it
Kim Alvefur <zash@zash.se>
parents:
5262
diff
changeset
|
149 response_headers.content_type = mime_map.html; |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
150 |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
151 else |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
152 local f, err = open(full_path, "rb"); |
|
7491
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
153 if not f then |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
154 module:log("debug", "Could not open %s. Error was %s", full_path, err); |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
155 return 403; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
156 end |
|
5269
7bc52402966d
mod_http_files: Fix sending Content-Type for index files
Kim Alvefur <zash@zash.se>
parents:
5268
diff
changeset
|
157 local ext = full_path:match("%.([^./]+)$"); |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
158 local content_type = ext and mime_map[ext]; |
|
7491
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
159 response_headers.content_type = content_type; |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
160 if attr.size > cache_max_file_size then |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
161 response_headers.content_length = attr.size; |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
162 module:log("debug", "%d > cache_max_file_size", attr.size); |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
163 return response:send_file(f); |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
164 else |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
165 data = f:read("*a"); |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
166 f:close(); |
|
491975f5d383
mod_http_files: Send larger files using new file handle API
Kim Alvefur <zash@zash.se>
parents:
7490
diff
changeset
|
167 end |
|
7490
b75b08af7a78
mod_http_files: Switch to use util.cache for cache
Kim Alvefur <zash@zash.se>
parents:
7487
diff
changeset
|
168 cache:set(orig_path, { data = data; content_type = content_type; etag = etag }); |
|
5238
0cc0359d8c39
mod_http_files: Generate simple directory index.
Kim Alvefur <zash@zash.se>
parents:
5237
diff
changeset
|
169 end |
|
0cc0359d8c39
mod_http_files: Generate simple directory index.
Kim Alvefur <zash@zash.se>
parents:
5237
diff
changeset
|
170 |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
171 return response:send(data); |
|
3353
cd3cbf361f8f
mod_httpserver: Serve index.html if a request is made for a directory and it contains one (thanks Brian Cully)
Matthew Wild <mwild1@gmail.com>
parents:
2925
diff
changeset
|
172 end |
|
5233
342c46e62f50
mod_http_files: Return 404 faster if file does not exist
Kim Alvefur <zash@zash.se>
parents:
5232
diff
changeset
|
173 |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
174 return serve_file; |
|
1667
c7bb2264e3b8
mod_httpserver: Set default file handler (you can now request static files as /*) and restructure code a bit
Matthew Wild <mwild1@gmail.com>
parents:
1552
diff
changeset
|
175 end |
|
1770
3e17002221eb
mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents:
1552
diff
changeset
|
176 |
|
5265
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
177 function wrap_route(routes) |
|
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
178 for route,handler in pairs(routes) do |
|
5268
69964d1cbe66
mod_http_files: Allow passing a string to serve()
Kim Alvefur <zash@zash.se>
parents:
5265
diff
changeset
|
179 if type(handler) ~= "function" then |
|
5265
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
180 routes[route] = serve(handler); |
|
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
181 end |
|
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
182 end |
|
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
183 return routes; |
|
cc2aed452a62
mod_http_files: Expose function other modules can use to combine their routes with file paths to serve
Kim Alvefur <zash@zash.se>
parents:
5264
diff
changeset
|
184 end |
|
1667
c7bb2264e3b8
mod_httpserver: Set default file handler (you can now request static files as /*) and restructure code a bit
Matthew Wild <mwild1@gmail.com>
parents:
1552
diff
changeset
|
185 |
|
5262
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
186 if base_path then |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
187 module:provides("http", { |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
188 route = { |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
189 ["GET /*"] = serve { |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
190 path = base_path; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
191 directory_index = directory_index; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
192 } |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
193 }; |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
194 }); |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
195 else |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
196 module:log("debug", "http_files_dir not set, assuming use by some other module"); |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
197 end |
|
4e58fde55594
mod_http_files: Export function can be used by other modules to serve files. Don't serve files by default unless http_files_dir is set
Kim Alvefur <zash@zash.se>
parents:
5261
diff
changeset
|
198 |
