mskor/mskor.xyz
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed: filepath for the blog is now specifically set to only allow files to be accessed if they exist in directory, writing this now I realise that the approach could mean that ../../../blog_name could be accessed still

Browse source
This commit is contained in:
Michal Skorczak 2024-11-13 22:48:03 +00:00
parent c9b984d5df
commit 575fd30835
1 changed files with 35 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
src/main.zig
View file

@ -3,11 +3,11 @@ const zap = @import("zap");
const Allocator = std.mem.Allocator; const Allocator = std.mem.Allocator;
//fn dispatch_routes(r: zap.Request) void { //fn dispatch_routes(r: zap.Request) void {
// if (r.path) |the_path| { // if (r.path) |the_path| {
// std.debug.print("PATH: {s}\n", .{the_path}); // std.log.print("PATH: {s}\n", .{the_path});
// } // }
// //
// if (r.query) |the_query| { // if (r.query) |the_query| {
// std.debug.print("QUERY: {s}\n", .{the_query}); // std.log.print("QUERY: {s}\n", .{the_query});
// } // }
// if (r.path) |path| { // if (r.path) |path| {
// if (routes.get(path)) |method| { // if (routes.get(path)) |method| {
@ -61,13 +61,39 @@ pub fn blog(self: *Self, req: zap.Request) void {
// looking for /blog?post=post_name // looking for /blog?post=post_name
if(req.getParamSlice("post")) |value| { if(req.getParamSlice("post")) |value| {
std.log.info("post name: {s}", .{value}); std.log.info("post name: {s}", .{value});
const filepath = std.fmt.allocPrint(self.allocator, "src/public/blog/{s}", .{value}) catch return;
defer self.allocator.free(filepath); const filepath = std.fmt.allocPrint(self.allocator, "./src/public/blog/{s}", .{value}) catch return;
const dir = std.fs.cwd().openDir("./src/public/blog", .{ .iterate = true }) catch return;
var walker = dir.walk(self.allocator) catch return;
defer walker.deinit();
while (walker.next() catch return) |entry| {
std.log.info("entry: {s}", .{entry.path});
if(std.mem.eql(u8,entry.path,value)) {
const file_content = std.fs.cwd().readFileAlloc(self.allocator, filepath, std.math.maxInt(usize)) catch return; const file_content = std.fs.cwd().readFileAlloc(self.allocator, filepath, std.math.maxInt(usize)) catch return;
defer self.allocator.free(file_content); defer self.allocator.free(file_content);
req.sendBody(file_content) catch return; req.sendBody(file_content) catch return;
} }
req.sendBody("ERROR: !") catch return; }
// defer self.allocator.free(filepath);
// const file_content = std.fs.cwd().readFileAlloc(self.allocator, filepath, std.math.maxInt(usize)) catch return;
// defer self.allocator.free(file_content);
// const absolute_filepath = std.fs.cwd().realpathAlloc(self.allocator, filepath) catch return;
// defer self.allocator.free(absolute_filepath);
// std.log.info("absolute_filepath: {s}\n", .{absolute_filepath});
// var walker = dir.walk(self.allocator) catch return;
// defer walker.deinit();
// while (walker.next() catch return) |entry| {
// const abs_p = std.fs.cwd().realpathAlloc(self.allocator, entry.path) catch return;
// defer self.allocator.free(abs_p);
// std.log.info("abs_entry: {s}", .{abs_p});
// std.log.info("entry: {s}", .{entry.path});
// }
// std.log.info("pwd: {s}", .{std.fs.cwd().realpathAlloc(self.allocator, ".") catch return});
// req.sendBody(file_content) catch return;
}
req.sendBody("ERROR: You shouldn't be looking here.") catch return;
} }
}; };
@ -112,7 +138,7 @@ pub fn main() !void {
var listener = zap.HttpListener.init(.{ .port = 4000, .on_request = router.on_request_handler(), .log = true, .max_clients = 100000, .public_folder = "src/public" }); var listener = zap.HttpListener.init(.{ .port = 4000, .on_request = router.on_request_handler(), .log = true, .max_clients = 100000, .public_folder = "src/public" });
try listener.listen(); try listener.listen();
std.debug.print("Listening on 0.0.0.0:4000\n", .{}); std.log.info("Listening on 0.0.0.0:4000\n", .{});
zap.start(.{ zap.start(.{
.threads = 2, .threads = 2,