Directory transversal and content sniffing fix#25
Merged
Az107 merged 5 commits intoAz107:masterfrom Apr 10, 2025
Merged
Conversation
Contributor
miky-rola
commented
Apr 10, 2025
miky-rola
commented
- Path Traversal Protection: Added a safe_join_paths function that:
- Canonicalizes paths to resolve any ".." components
- Ensures the requested path is within the configured root directory
- Returns None for paths that attempt to escape the root
- Uses PathBuf for path handling instead of string concatenation
- Added proper directory path handling with index files
- Added special handling for the root path
- Added "X-Content-Type-Options: nosniff" to prevent content type sniffing attacks
- Added support for many more file types
- Uses a safe default "application/octet-stream" for unknown types instead of "text/plain"
Az107
reviewed
Apr 10, 2025
src/main.rs
Outdated
| Some(c) => { | ||
| let mut headers = headers!("Content-Type" => mimetype); | ||
| if let Some(ref mut map) = headers { // Unwrap the Option safely | ||
| map.insert("X-Content-Type-Options".to_string(), "nosniff".to_string()); |
Owner
There was a problem hiding this comment.
We can add headers easily with the macro as
headers!("Content-Type" => mimetype, "X-Content-Type-Options"=>"nosniff")
Contributor
Author
There was a problem hiding this comment.
This is better, lemme update it
Az107
approved these changes
Apr 10, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.