Giters

kemalcr / kemal

Fast, Effective, Simple Web Framework

Home Page:https://kemalcr.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

StaticFileHandler doesn't work on Windows

konovod opened this issue · comments

commented

Description

StaticFileHandler doesn't work on Windows due to expand_path adding drive letter in Windows.

Steps to Reproduce

  1. Take hello world project (use Kemal.run(trap_signal: false) due to #658 )
  2. Add public dir with some files
  3. Run and try to access any file.

Expected behavior: In Windows, as in Linux, browser should show a file.

Actual behavior: Browser shows error (status 302 with pretty misleading message in case of Firefox)

Reproduces how often: Always

Versions

Crystal 1.9.2, Kemal 1.4.0

Additional Information

The problem is in a line

kemal/src/kemal/static_file_handler.cr

Line 30 in c995a2a

expanded_path = File.expand_path(request_path, "/")

That expands file.html to d:\file.html in Windows (adds a drive letter), that is later is concatenated with public dir, giving final path ...\public\d:\file.html.
If this line is replaced with expanded_path = request_path, problem is gone and file is shown, but this is (perhaps) unacceptable as a fix - if I understand correctly, this line is to avoid a way to escape from public dir.
I'm not sure how correct fix should work - expand a path from a public dir then check that result is inside public dir? Or maybe expand_path in stdlib should be fixed to do not add a drive letter?

commented

Looks like this is a already mentioned in of #657 (comment)