diff options
author | Lars Wirzenius <liw@liw.fi> | 2021-08-23 20:03:45 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2021-08-23 20:03:45 +0300 |
commit | 758b238503d9b60a905d8e95f44e88b80be4433d (patch) | |
tree | 0390eb6af9aa43b313b0c4fd3b9c3ba2719a7738 /ewww.md | |
parent | 4165b908fe55a26dea850c376a340905408b8ee4 (diff) | |
download | ewww-758b238503d9b60a905d8e95f44e88b80be4433d.tar.gz |
test: verify that /../ in request path can't access outside webroot
Sponsored-by: author
Diffstat (limited to 'ewww.md')
-rw-r--r-- | ewww.md | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -164,4 +164,32 @@ then I get status code 405 and allow is "GET HEAD" ~~~ +## Request asking file from parent of webroot fails +The HTTP client must not be able to escape the webroot by using `/../` +in the request path. + +~~~scenario +given a self-signed certificate as snakeoil.pem, using key snakeoil.key +given directory somedir/webroot +given file somedir/secret.txt from secret.txt +given file somedir/webroot/foo.html from webpage.html +given a running server using config file somedir.yaml + +when I request GET https://example.com/foo.html +then I get status code 200 +then body is "this is your web page" + +when I request GET https://example.com/../secret.txt +then I get status code 404 +~~~ + +~~~{#somedir.yaml .file .yaml .numberLines} +webroot: somedir/webroot +tls_cert: snakeoil.pem +tls_key: snakeoil.key +~~~ + +~~~{#secret.txt .file} +secret +~~~ |