Merge branch 'keep-it-webroot' into 'main'

verify /../ in path can't access outside webroot

See merge request larswirzenius/ewww!23

1 files changed, 48 insertions, 18 deletions

diff --git a/ewww.md b/ewww.md
index 8de29d7..f9bad80 100644
--- a/ewww.md
+++ b/ewww.md
@@ -1,3 +1,23 @@
+---
+title: "Ewww — a Web server for static sites"
+author: Lars Wirzenius
+template: python
+bindings:
+  - subplot/ewww.yaml
+  - lib/daemon.yaml
+  - lib/files.yaml
+  - lib/runcmd.yaml
+functions:
+  - subplot/ewww.py
+  - subplot/http.py
+  - lib/daemon.py
+  - lib/files.py
+  - lib/runcmd.py
+classes:
+  - scenario-disabled
+...
+
+
 # Introduction
 
 Ewww is a web server for static sites. It aims to be simple code,
@@ -144,22 +164,32 @@ then I get status code 405
 and allow is "GET HEAD"
 ~~~
 
+## Request asking file from parent of webroot fails
 
----
-title: "Ewww — a Web server for static sites"
-author: Lars Wirzenius
-template: python
-bindings:
-  - subplot/ewww.yaml
-  - lib/daemon.yaml
-  - lib/files.yaml
-  - lib/runcmd.yaml
-functions:
-  - subplot/ewww.py
-  - subplot/http.py
-  - lib/daemon.py
-  - lib/files.py
-  - lib/runcmd.py
-classes:
-  - scenario-disabled
-...
+The HTTP client must not be able to escape the webroot by using `/../`
+in the request path.
+
+~~~scenario
+given a self-signed certificate as snakeoil.pem, using key snakeoil.key
+given directory somedir/webroot
+given file somedir/secret.txt from secret.txt
+given file somedir/webroot/foo.html from webpage.html
+given a running server using config file somedir.yaml
+
+when I request GET https://example.com/foo.html
+then I get status code 200
+then body is "this is your web page"
+
+when I request GET https://example.com/../secret.txt
+then I get status code 404
+~~~
+
+~~~{#somedir.yaml .file .yaml .numberLines}
+webroot: somedir/webroot
+tls_cert: snakeoil.pem
+tls_key: snakeoil.key
+~~~
+
+~~~{#secret.txt .file}
+secret
+~~~