From f14c45151d786058bd774b4cf5ccd0f3e1ee2a08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Mon, 6 Jun 2016 17:39:06 +0200
Subject: Escape reserved filename characters

Note that this commit has currently only been tested on Linux.
It might be incomplete for other platforms.
---
 src/cowboy_static.erl | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/cowboy_static.erl b/src/cowboy_static.erl
index 62f7b52..d13db62 100644
--- a/src/cowboy_static.erl
+++ b/src/cowboy_static.erl
@@ -81,7 +81,7 @@ init_dir(Req, Path, Extra) when is_list(Path) ->
 init_dir(Req, Path, Extra) ->
 	Dir = fullpath(filename:absname(Path)),
 	PathInfo = cowboy_req:path_info(Req),
-	Filepath = filename:join([Dir|PathInfo]),
+	Filepath = filename:join([Dir|[escape_reserved(P, <<>>) || P <- PathInfo]]),
 	Len = byte_size(Dir),
 	case fullpath(Filepath) of
 		<< Dir:Len/binary, $/, _/binary >> ->
@@ -92,6 +92,21 @@ init_dir(Req, Path, Extra) ->
 			{cowboy_rest, Req, error}
 	end.
 
+%% We escape the slash found in path segments because
+%% a segment corresponds to a directory entry, and
+%% therefore those slashes are expected to be part of
+%% the directory name.
+%%
+%% Note that on most systems the slash is prohibited
+%% and cannot appear in filenames, which means the
+%% requested file will end up being not found.
+escape_reserved(<<>>, Acc) ->
+	Acc;
+escape_reserved(<< $/, Rest/bits >>, Acc) ->
+	escape_reserved(Rest, << Acc/binary, $\\, $/ >>);
+escape_reserved(<< C, Rest/bits >>, Acc) ->
+	escape_reserved(Rest, << Acc/binary, C >>).
+
 fullpath(Path) ->
 	fullpath(filename:split(Path), []).
 fullpath([], Acc) ->
-- 
cgit v1.2.3