diff options
author | Sriram Melkote <siri@couchbase.com> | 2012-12-15 04:03:45 +0530 |
---|---|---|
committer | Jan Lehnardt <jan@apache.org> | 2012-12-19 17:45:07 +0100 |
commit | bc5880f7c342b79468bc66b6b1d34fcf5be83070 (patch) | |
tree | 646df84009fbf5656139ce64040fd05ef477ba3d | |
parent | 6429a44b2b6589c234a519db9e2ac8f61f0a24ae (diff) | |
download | couchdb-bc5880f7c342b79468bc66b6b1d34fcf5be83070.tar.gz |
improve parsing of mochiweb relative paths
Patch adapted from http://www.couchbase.com/issues/browse/MB-7390
-rw-r--r-- | src/mochiweb/mochiweb_util.erl | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/mochiweb/mochiweb_util.erl b/src/mochiweb/mochiweb_util.erl index 3b50fe7d8..6b8881894 100644 --- a/src/mochiweb/mochiweb_util.erl +++ b/src/mochiweb/mochiweb_util.erl @@ -68,11 +68,17 @@ partition2(_S, _Sep) -> %% @spec safe_relative_path(string()) -> string() | undefined %% @doc Return the reduced version of a relative path or undefined if it %% is not safe. safe relative paths can be joined with an absolute path -%% and will result in a subdirectory of the absolute path. +%% and will result in a subdirectory of the absolute path. Safe paths +%% never contain a backslash character. safe_relative_path("/" ++ _) -> undefined; safe_relative_path(P) -> - safe_relative_path(P, []). + case string:chr(P, $\\) of + 0 -> + safe_relative_path(P, []); + _ -> + undefined + end. safe_relative_path("", Acc) -> case Acc of @@ -809,6 +815,7 @@ safe_relative_path_test() -> undefined = safe_relative_path("../foo"), undefined = safe_relative_path("foo/../.."), undefined = safe_relative_path("foo//"), + undefined = safe_relative_path("foo\\bar"), ok. parse_qvalues_test() -> |