sanitize filepaths provided by checkUrl

1 files changed, 31 insertions, 3 deletions

diff --git a/Types/UrlContents.hs b/Types/UrlContents.hs
index ae50c6b40..d6dee120b 100644
--- a/Types/UrlContents.hs
+++ b/Types/UrlContents.hs
@@ -5,14 +5,42 @@
  - Licensed under the GNU GPL version 3 or higher.
  -}
 
-module Types.UrlContents where
+module Types.UrlContents (
+	UrlContents(..),
+	SafeFilePath,
+	mkSafeFilePath,
+	fromSafeFilePath
+) where
 
 import Utility.Url
+import Utility.Path
+
+import System.FilePath
 
 data UrlContents
 	-- An URL contains a file, whose size may be known.
 	-- There might be a nicer filename to use.
-	= UrlContents (Maybe Integer) (Maybe FilePath)
+	= UrlContents (Maybe Integer) (Maybe SafeFilePath)
 	-- Sometimes an URL points to multiple files, each accessible
 	-- by their own URL.
-	| UrlMulti [(URLString, Maybe Integer, FilePath)]
+	| UrlMulti [(URLString, Maybe Integer, SafeFilePath)]
+
+-- This is a FilePath, from an untrusted source,
+-- sanitized so it doesn't contain any directory traversal tricks
+-- and is always relative. It can still contain subdirectories.
+-- Any unusual characters are also filtered out.
+newtype SafeFilePath = SafeFilePath FilePath
+	deriving (Show)
+
+mkSafeFilePath :: FilePath -> SafeFilePath
+mkSafeFilePath p = SafeFilePath $ if null p' then "file" else p'
+  where
+	p' = joinPath $ filter safe $ map sanitizeFilePath $ splitDirectories p
+	safe s
+		| isDrive s = False
+		| s == ".." = False
+		| null s = False
+		| otherwise = True
+
+fromSafeFilePath :: SafeFilePath -> FilePath
+fromSafeFilePath (SafeFilePath p) = p