[2/6] git commit: improve parsing of mochiweb relative paths

Wed, 19 Dec 2012 09:28:53 -0800 

improve parsing of mochiweb relative paths

Patch adapted from http://www.couchbase.com/issues/browse/MB-7390


Project: http://git-wip-us.apache.org/repos/asf/couchdb/repo
Commit: http://git-wip-us.apache.org/repos/asf/couchdb/commit/17001133
Tree: http://git-wip-us.apache.org/repos/asf/couchdb/tree/17001133
Diff: http://git-wip-us.apache.org/repos/asf/couchdb/diff/17001133

Branch: refs/heads/1.1.x
Commit: 1700113302c1960201423a34543a67e1f9b48cfd
Parents: 55ba156
Author: Sriram Melkote <[email protected]>
Authored: Sat Dec 15 04:03:45 2012 +0530
Committer: Jan Lehnardt <[email protected]>
Committed: Wed Dec 19 18:04:19 2012 +0100

----------------------------------------------------------------------
 src/mochiweb/mochiweb_util.erl |   11 +++++++++--
 1 files changed, 9 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/couchdb/blob/17001133/src/mochiweb/mochiweb_util.erl
----------------------------------------------------------------------
diff --git a/src/mochiweb/mochiweb_util.erl b/src/mochiweb/mochiweb_util.erl
index 62ff0d0..dae9236 100644
--- a/src/mochiweb/mochiweb_util.erl
+++ b/src/mochiweb/mochiweb_util.erl
@@ -68,11 +68,17 @@ partition2(_S, _Sep) ->
 %% @spec safe_relative_path(string()) -> string() | undefined
 %% @doc Return the reduced version of a relative path or undefined if it
 %%      is not safe. safe relative paths can be joined with an absolute path
-%%      and will result in a subdirectory of the absolute path.
+%%      and will result in a subdirectory of the absolute path. Safe paths
+%%      never contain a backslash character.
 safe_relative_path("/" ++ _) ->
     undefined;
 safe_relative_path(P) ->
-    safe_relative_path(P, []).
+    case string:chr(P, $\\) of
+        0 ->
+           safe_relative_path(P, []);
+        _ ->
+           undefined
+    end.
 
 safe_relative_path("", Acc) ->
     case Acc of
@@ -809,6 +815,7 @@ safe_relative_path_test() ->
     undefined = safe_relative_path("../foo"),
     undefined = safe_relative_path("foo/../.."),
     undefined = safe_relative_path("foo//"),
+    undefined = safe_relative_path("foo\\bar"),
     ok.
 
 parse_qvalues_test() ->

Reply via email to