From 1bd2076b35f9c9bcc6ef9fe96f157c4de0cbd7cc Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Tue, 25 Jan 2022 16:44:05 +0000 Subject: [PATCH] prevent drive traversal in windows --- actix-files/src/path_buf.rs | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/actix-files/src/path_buf.rs b/actix-files/src/path_buf.rs index f7f7cdab..9ee1338c 100644 --- a/actix-files/src/path_buf.rs +++ b/actix-files/src/path_buf.rs @@ -59,6 +59,8 @@ impl PathBufWrap { continue; } else if cfg!(windows) && segment.contains('\\') { return Err(UriSegmentError::BadChar('\\')); + } else if cfg!(windows) && segment.contains(':') { + return Err(UriSegmentError::BadChar(':')); } else { buf.push(segment) } @@ -66,7 +68,11 @@ impl PathBufWrap { // make sure we agree with stdlib parser for (i, component) in buf.components().enumerate() { - assert!(matches!(component, Component::Normal(_))); + assert!( + matches!(component, Component::Normal(_)), + "component `{:?}` is not normal", + component + ); assert!(i < segment_count); } @@ -159,4 +165,26 @@ mod tests { PathBuf::from_iter(vec!["etc/passwd"]) ); } + + #[test] + #[cfg_attr(windows, should_panic)] + fn windows_drive_traversal() { + // detect issues in windows that could lead to path traversal + // see