# HG changeset patch # User Kim Alvefur # Date 1457017534 -3600 # Node ID c018a44b822a8efd82f2051c89a00b0db190ad3c # Parent c6f9d694d7782a498e513365ae9dea6cd5e9504e# Parent 20246b1396071e821bf41810ce2d0a016c48f4af Merge 0.9->0.10 diff -r c6f9d694d778 -r c018a44b822a plugins/mod_http_files.lua --- a/plugins/mod_http_files.lua Wed Mar 02 16:43:42 2016 +0100 +++ b/plugins/mod_http_files.lua Thu Mar 03 16:05:34 2016 +0100 @@ -56,6 +56,7 @@ local urldecode = require "util.http".urldecode; function sanitize_path(path) + if not path then return end local out = {}; local c = 0; @@ -74,6 +75,9 @@ out[c] = component; end end + if path:sub(-1,-1) == "/" then + out[c+1] = ""; + end return "/"..table.concat(out, "/"); end @@ -88,12 +92,13 @@ local directory_index = opts.directory_index; local function serve_file(event, path) local request, response = event.request, event.response; - path = sanitize_path(path); - if not path then + local sanitized_path = sanitize_path(path); + if path and not sanitized_path then return 400; end + path = sanitized_path; local orig_path = sanitize_path(request.path); - local full_path = base_path .. (path and "/"..path or ""):gsub("/", path_sep); + local full_path = base_path .. (path or ""):gsub("/", path_sep); local attr = stat(full_path:match("^.*[^\\/]")); -- Strip trailing path separator because Windows if not attr then return 404;