From 9b39286cda39e66bab3c097937da9be243585f3c Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Fri, 26 Jan 2024 11:32:46 +0100 Subject: Normalize resource path in `find-resource-file`. `..` and `.` are now legal as long as long as the path does not reference the resource root directory's parent. --- tests/guile/cantius-test.scm | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) (limited to 'tests/guile/cantius-test.scm') diff --git a/tests/guile/cantius-test.scm b/tests/guile/cantius-test.scm index e497bfe..328573c 100644 --- a/tests/guile/cantius-test.scm +++ b/tests/guile/cantius-test.scm @@ -189,22 +189,15 @@ (tu:test-assert (string-prefix? ";;; " (cadr valid-resource-result)))) (tu:test-group "illegal-static-resources" - (for-each (lambda (resource-path) - (define illegal-resource-result - (get resource-path)) - - (tu:test-eqv 403 - (rsp:response-code (car illegal-resource-result))) - - ;; Default handler for illegal resource accesses is expected to - ;; ignore the value of the `%default-headers` parameter. - (tu:test-equal '(text/plain (charset . "utf-8")) - (rsp:response-content-type - (car illegal-resource-result)))) - - '("/static/../../../../../etc/passwd" - "/static/stylesheets/." - "/static/nonfree/../scripts/main.js"))) + (define illegal-resource-result + (get "/static/stylesheets/../../../../../../etc/passwd")) + + (tu:test-eqv 403 (rsp:response-code (car illegal-resource-result))) + + ;; Default handler for illegal resource accesses is expected to ignore the + ;; value of the `%default-headers` parameter. + (tu:test-equal '(text/plain (charset . "utf-8")) + (rsp:response-content-type (car illegal-resource-result)))) (tu:test-group "missing-static-resources" (define missing-resource-result -- cgit v1.2.3