Merge pull request #334 from CrowCpp/sanitize_absolute_path

fixed issue where absolute unix paths were not sanitized
CrowCpp · Feb 8, 2022 · a63b080 · a63b080
2 parents 9f64a7b + dcd2b0c
commit a63b080
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/include/crow/mustache.h b/include/crow/mustache.h
@@ -632,7 +632,9 @@ namespace crow
 
         inline std::string load_text(const std::string& filename)
         {
-            return detail::get_loader_ref()(filename);
+            std::string filename_sanitized(filename);
+            utility::sanitize_filename(filename_sanitized);
+            return detail::get_loader_ref()(filename_sanitized);
         }
 
         inline template_t load(const std::string& filename)

diff --git a/include/crow/utility.h b/include/crow/utility.h
@@ -694,7 +694,15 @@ namespace crow
                 }
                 else if ((c == '/') || (c == '\\'))
                 {
-                    checkForSpecialEntries = true;
+                    //TODO(EDev): uncomment below once #332 is merged
+                    if (/*CROW_UNLIKELY(*/ i == 0 /*)*/) //Prevent Unix Absolute Paths (Windows Absolute Paths are prevented with `(c == ':')`)
+                    {
+                        data[i] = replacement;
+                    }
+                    else
+                    {
+                        checkForSpecialEntries = true;
+                    }
                 }
             }
         }

diff --git a/tests/unittest.cpp b/tests/unittest.cpp
@@ -2473,6 +2473,7 @@ TEST_CASE("sanitize_filename")
     CHECK(sanitize_filename("abc/COM9") == "abc/_");
     CHECK(sanitize_filename("abc/COM") == "abc/COM");
     CHECK(sanitize_filename("abc/CON") == "abc/_");
+    CHECK(sanitize_filename("/abc/") == "_abc/");
 }
 
 TEST_CASE("get_port")