[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
|
From: |
Tatiana |
|
Date: |
Wed, 27 Jun 2018 08:42:58 -0400 (EDT) |
branch: web-interface
commit 450c6bb6610d9425539535894014f2b795458962
Author: TSholokhova <address@hidden>
Date: Wed Jun 27 15:42:41 2018 +0300
Add white-list.
* src/cuirass/http.scm (respond-static-file, file-white-list): Add white
list check.
---
src/cuirass/http.scm | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/cuirass/http.scm b/src/cuirass/http.scm
index 9cab34d..712db10 100644
--- a/src/cuirass/http.scm
+++ b/src/cuirass/http.scm
@@ -44,7 +44,7 @@
;; Define to the static file directory.
(string-append (or (getenv "CUIRASS_DATADIR")
(string-append %datadir "/" %package))
- "/static/"))
+ "/static"))
(define file-mime-types
'(("css" . (text/css))
@@ -55,6 +55,13 @@
("gif" . (image/gif))
("html" . (text/html))))
+(define file-white-list
+ '("css/bootstrap.css"
+ "css/open-iconic-bootstrap.css"
+ "fonts/open-iconic.otf"
+ "fonts/open-iconic.woff"
+ "images/logo.png"))
+
(define (file-extension file-name)
(last (string-split file-name #\.)))
@@ -174,13 +181,14 @@ Hydra format."
(define (respond-static-file path)
;; PATH is a list of path components
- (let ((file-name (string-join (cons* %static-directory path) "/")))
- (if (and (not (any (cut string-contains <> "..") path))
- (file-exists? file-name)
- (not (directory? file-name)))
+ (let ((file-name (string-join path "/"))
+ (file-path (string-join (cons* %static-directory path) "/")))
+ (if (and (member file-name file-white-list)
+ (file-exists? file-path)
+ (not (directory? file-path)))
(respond
- `((content-type . ,(assoc-ref file-mime-types (file-extension
file-name))))
- #:body (call-with-input-file file-name get-bytevector-all))
+ `((content-type . ,(assoc-ref file-mime-types (file-extension
file-path))))
+ #:body (call-with-input-file file-path get-bytevector-all))
(respond-not-found file-name))))
(define (respond-build-not-found build-id)