|
|
@@ -22,10 +22,17 @@ pub(super) fn desktop_handler(request: &Request, asset_root: Option<PathBuf>) ->
|
|
|
.body(dioxus_interpreter_js::INTERPRETER_JS.as_bytes().to_vec())
|
|
|
} else {
|
|
|
let asset_root = asset_root
|
|
|
- .unwrap_or_else(|| get_asset_root().unwrap_or_else(|| Path::new(".").to_path_buf()));
|
|
|
+ .unwrap_or_else(|| get_asset_root().unwrap_or_else(|| Path::new(".").to_path_buf()))
|
|
|
+ .canonicalize()?;
|
|
|
|
|
|
let asset = asset_root.join(trimmed).canonicalize()?;
|
|
|
|
|
|
+ if !asset.starts_with(asset_root) {
|
|
|
+ return ResponseBuilder::new()
|
|
|
+ .status(StatusCode::FORBIDDEN)
|
|
|
+ .body(String::from("Forbidden").into_bytes());
|
|
|
+ }
|
|
|
+
|
|
|
if !asset.exists() {
|
|
|
return ResponseBuilder::new()
|
|
|
.status(StatusCode::NOT_FOUND)
|
Jonathan Kelley