diff options
Diffstat (limited to 'ewww.md')
| -rw-r--r-- | ewww.md | 28 |
1 files changed, 28 insertions, 0 deletions
@@ -164,4 +164,32 @@ then I get status code 405 and allow is "GET HEAD" ~~~ +## Request asking file from parent of webroot fails +The HTTP client must not be able to escape the webroot by using `/../` +in the request path. + +~~~scenario +given a self-signed certificate as snakeoil.pem, using key snakeoil.key +given directory somedir/webroot +given file somedir/secret.txt from secret.txt +given file somedir/webroot/foo.html from webpage.html +given a running server using config file somedir.yaml + +when I request GET https://example.com/foo.html +then I get status code 200 +then body is "this is your web page" + +when I request GET https://example.com/../secret.txt +then I get status code 404 +~~~ + +~~~{#somedir.yaml .file .yaml .numberLines} +webroot: somedir/webroot +tls_cert: snakeoil.pem +tls_key: snakeoil.key +~~~ + +~~~{#secret.txt .file} +secret +~~~ |