Backport safe_relative_path/1 from OTP 19.3

jhlywa · jhlywa · commit fa50764ff3a8 · 2018-10-08T15:00:24.000-04:00
diff --git a/src/elli_static.erl b/src/elli_static.erl
@@ -88,7 +88,7 @@ maybe_file(Req, Prefix, Dir) ->
 
     %% santize the path ensuring the request doesn't access any parent
     %% directories ... and reattach the slash if deemed safe
-    SafePath = case filename:safe_relative_path(RawPath) of
+    SafePath = case safe_relative_path(RawPath) of
                    unsafe ->
                        throw(?NOT_FOUND);
                    %% return type quirk work around
@@ -110,3 +110,43 @@ maybe_file(Req, Prefix, Dir) ->
         _ ->
             nothing
     end.
+
+
+%% OTP_RELEASE macro was introduced in 21, `filename:safe_relative_path/1' in
+%% 19.3.
+-ifdef(OTP_RELEASE).
+  -ifdef(?OTP_RELEASE >= 21).
+safe_relative_path(Path) ->
+    filename:safe_relative_path(Path).
+  -endif.
+-else.
+
+%% @doc Backport of `filename:safe_relative_path/1' from 19.3. This code was
+%% lifted from:
+%% https://github.com/erlang/otp/blob/master/lib/stdlib/src/filename.erl#L811
+-spec safe_relative_path(binary()) -> unsafe | file:name_all().
+safe_relative_path(Path) ->
+    case filename:pathtype(Path) of
+        relative ->
+            Cs0 = filename:split(Path),
+            safe_relative_path_1(Cs0, []);
+        _ ->
+            unsafe
+    end.
+
+safe_relative_path_1([<<".">>|T], Acc) ->
+    safe_relative_path_1(T, Acc);
+safe_relative_path_1([<<"..">>|T], Acc) ->
+    climb(T, Acc);
+safe_relative_path_1([H|T], Acc) ->
+    safe_relative_path_1(T, [H|Acc]);
+safe_relative_path_1([], []) ->
+    [];
+safe_relative_path_1([], Acc) ->
+    filename:join(lists:reverse(Acc)).
+
+climb(_, []) ->
+    unsafe;
+climb(T, [_|Acc]) ->
+    safe_relative_path_1(T, Acc).
+-endif.
diff --git a/test/elli_static_tests.erl b/test/elli_static_tests.erl
@@ -31,13 +31,18 @@ not_found() ->
     ?assertMatch({{"HTTP/1.1",404,"Not Found"}, _Headers, "Not Found"}, Response).
 
 safe_traversal() ->
-    {ok, Response} = httpc:request("http://localhost:3000/elli_static/"
-                                   "../elli_static/README.md"),
     {ok, File} = file:read_file("README.md"),
     Expected = binary_to_list(File),
+
+    {ok, Response1} = httpc:request("http://localhost:3000/elli_static/"
+                                   "../elli_static/README.md"),
     ?assertEqual([integer_to_list(iolist_size(Expected))],
-                 proplists:get_all_values("content-length", element(2, Response))),
-    ?assertMatch({_Status, _Headers, Expected}, Response).
+                 proplists:get_all_values("content-length", element(2, Response1))),
+    ?assertMatch({_Status, _Headers, Expected}, Response1),
+
+
+    %% `Response' should match the same request above
+    {ok, Response} = httpc:request("http://localhost:3000/elli_static/./README.md").
 
 unsafe_traversal() ->
     %% compute the relative path to /etc/passwd
