diff options
author | Lars Wirzenius <liw@liw.fi> | 2021-08-23 17:08:24 +0000 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2021-08-23 17:08:24 +0000 |
commit | c97132e90f1b835c2e756f15f21685b4f4afc956 (patch) | |
tree | 0390eb6af9aa43b313b0c4fd3b9c3ba2719a7738 | |
parent | 3b387bd42b5b928a17a223406995008af3f729ea (diff) | |
parent | 758b238503d9b60a905d8e95f44e88b80be4433d (diff) | |
download | ewww-c97132e90f1b835c2e756f15f21685b4f4afc956.tar.gz |
Merge branch 'keep-it-webroot' into 'main'
verify /../ in path can't access outside webroot
See merge request larswirzenius/ewww!23
-rw-r--r-- | ewww.md | 66 |
1 files changed, 48 insertions, 18 deletions
@@ -1,3 +1,23 @@ +--- +title: "Ewww — a Web server for static sites" +author: Lars Wirzenius +template: python +bindings: + - subplot/ewww.yaml + - lib/daemon.yaml + - lib/files.yaml + - lib/runcmd.yaml +functions: + - subplot/ewww.py + - subplot/http.py + - lib/daemon.py + - lib/files.py + - lib/runcmd.py +classes: + - scenario-disabled +... + + # Introduction Ewww is a web server for static sites. It aims to be simple code, @@ -144,22 +164,32 @@ then I get status code 405 and allow is "GET HEAD" ~~~ +## Request asking file from parent of webroot fails ---- -title: "Ewww — a Web server for static sites" -author: Lars Wirzenius -template: python -bindings: - - subplot/ewww.yaml - - lib/daemon.yaml - - lib/files.yaml - - lib/runcmd.yaml -functions: - - subplot/ewww.py - - subplot/http.py - - lib/daemon.py - - lib/files.py - - lib/runcmd.py -classes: - - scenario-disabled -... +The HTTP client must not be able to escape the webroot by using `/../` +in the request path. + +~~~scenario +given a self-signed certificate as snakeoil.pem, using key snakeoil.key +given directory somedir/webroot +given file somedir/secret.txt from secret.txt +given file somedir/webroot/foo.html from webpage.html +given a running server using config file somedir.yaml + +when I request GET https://example.com/foo.html +then I get status code 200 +then body is "this is your web page" + +when I request GET https://example.com/../secret.txt +then I get status code 404 +~~~ + +~~~{#somedir.yaml .file .yaml .numberLines} +webroot: somedir/webroot +tls_cert: snakeoil.pem +tls_key: snakeoil.key +~~~ + +~~~{#secret.txt .file} +secret +~~~ |