I am looking at resolve.rs - source

Is there anything in resolve / resolve_path which prevents a malicious client from constructing "../../../../" to escape the "root" of the static file directory ?

Those functions call crate::utils::requested_path::RequestedPath::resolve, which calls normalize_path on the passed path, which normalizes the path (removing .. but not going past /,) which is then appended to the root directory. So it doesn't look like it can access paths outside of the root directory.

For anyone else curious, I think this is the line @asymmetrikon was referring to: hyper-staticfile/requested_path.rs at main · stephank/hyper-staticfile · GitHub

the vec can become empty but it can't "go negative"

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.