Mojolicious and directory traversal

Question

I am new to Mojolicious and trying to build a tiny webservice using this framework , I wrote the below code which render some file remotely

use Mojolicious::Lite;
use strict;
use warnings;



app->static->paths->[0]='C:\results';
     get '/result' => sub {

       my $self = shift;
       my $headers = $self->res->headers;
      $headers->content_type('text/zip;charset=UTF-8');

       $self->render_static('result.zip');

    };

    app->start;

but it seems when i try to fetch the file using the following url:

http://mydomain:3000/result/./../result

i get the file .

is there any option on mojolicious to prevent such directory traversal?

i.e in the above case i want only

http:/mydomain:300/result

to serve the page if someone enter this url :

http://mydomain:3000/result/./../result

the page should not be served . is it possoible to do this ?

score 0 · Answer 1 · answered Nov 18 '13 at 20:22

0

/$result^/ is a regular expression, and if you have not defined the scalar variable $result (which it does not appear you have), it resolves to /^/, which matches not just http://mydomain:3000/result/./../result but also http://mydomain:3000/john/jacob/jingleheimer/schmidt.

use strict and use warnings, even on tiny webservices.

answered Nov 18 '13 at 20:22

mob

117,087
18
149
283

I am sorry before i paste my code i changed some variables names and i had typos i corrected it ,above is the case i am talking about – smith Nov 18 '13 at 21:12
Sorry, i revisited the post and the code ,it mybe still some typos as english is in not my first language – smith Nov 18 '13 at 21:56

Mojolicious and directory traversal

1 Answers1