From 4165b908fe55a26dea850c376a340905408b8ee4 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Mon, 23 Aug 2021 19:55:03 +0300
Subject: refactor: move document YAML metadata to top

Sponsored-by: author
---
 ewww.md | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/ewww.md b/ewww.md
index 8de29d7..97b8357 100644
--- a/ewww.md
+++ b/ewww.md
@@ -1,3 +1,23 @@
+---
+title: "Ewww &mdash; a Web server for static sites"
+author: Lars Wirzenius
+template: python
+bindings:
+  - subplot/ewww.yaml
+  - lib/daemon.yaml
+  - lib/files.yaml
+  - lib/runcmd.yaml
+functions:
+  - subplot/ewww.py
+  - subplot/http.py
+  - lib/daemon.py
+  - lib/files.py
+  - lib/runcmd.py
+classes:
+  - scenario-disabled
+...
+
+
 # Introduction
 
 Ewww is a web server for static sites. It aims to be simple code,
@@ -145,21 +165,3 @@ and allow is "GET HEAD"
 ~~~
 
 
----
-title: "Ewww &mdash; a Web server for static sites"
-author: Lars Wirzenius
-template: python
-bindings:
-  - subplot/ewww.yaml
-  - lib/daemon.yaml
-  - lib/files.yaml
-  - lib/runcmd.yaml
-functions:
-  - subplot/ewww.py
-  - subplot/http.py
-  - lib/daemon.py
-  - lib/files.py
-  - lib/runcmd.py
-classes:
-  - scenario-disabled
-...
-- 
cgit v1.2.1


From 758b238503d9b60a905d8e95f44e88b80be4433d Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Mon, 23 Aug 2021 20:03:45 +0300
Subject: test: verify that /../ in request path can't access outside webroot

Sponsored-by: author
---
 ewww.md | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/ewww.md b/ewww.md
index 97b8357..f9bad80 100644
--- a/ewww.md
+++ b/ewww.md
@@ -164,4 +164,32 @@ then I get status code 405
 and allow is "GET HEAD"
 ~~~
 
+## Request asking file from parent of webroot fails
 
+The HTTP client must not be able to escape the webroot by using `/../`
+in the request path.
+
+~~~scenario
+given a self-signed certificate as snakeoil.pem, using key snakeoil.key
+given directory somedir/webroot
+given file somedir/secret.txt from secret.txt
+given file somedir/webroot/foo.html from webpage.html
+given a running server using config file somedir.yaml
+
+when I request GET https://example.com/foo.html
+then I get status code 200
+then body is "this is your web page"
+
+when I request GET https://example.com/../secret.txt
+then I get status code 404
+~~~
+
+~~~{#somedir.yaml .file .yaml .numberLines}
+webroot: somedir/webroot
+tls_cert: snakeoil.pem
+tls_key: snakeoil.key
+~~~
+
+~~~{#secret.txt .file}
+secret
+~~~
-- 
cgit v1.2.1