kemal icon indicating copy to clipboard operation
kemal copied to clipboard
verified publisher icon kemalcr

StaticFileHandler doesn't work on Windows

Open konovod opened this issue 2 years ago • 1 comments

Description

StaticFileHandler doesn't work on Windows due to expand_path adding drive letter in Windows.

Steps to Reproduce

  1. Take hello world project (use Kemal.run(trap_signal: false) due to #658 )
  2. Add public dir with some files
  3. Run and try to access any file.

Expected behavior: In Windows, as in Linux, browser should show a file.

Actual behavior: Browser shows error (status 302 with pretty misleading message in case of Firefox)

Reproduces how often: Always

Versions

Crystal 1.9.2, Kemal 1.4.0

Additional Information

The problem is in a line
https://github.com/kemalcr/kemal/blob/c995a2a9711d72d90b347683007b45bbaf495317/src/kemal/static_file_handler.cr#L30

That expands file.html to d:\file.html in Windows (adds a drive letter), that is later is concatenated with public dir, giving final path ...\public\d:\file.html. If this line is replaced with expanded_path = request_path, problem is gone and file is shown, but this is (perhaps) unacceptable as a fix - if I understand correctly, this line is to avoid a way to escape from public dir. I'm not sure how correct fix should work - expand a path from a public dir then check that result is inside public dir? Or maybe expand_path in stdlib should be fixed to do not add a drive letter?

konovod avatar Jul 31 '23 10:07 konovod

Looks like this is a already mentioned in of https://github.com/kemalcr/kemal/pull/657#issuecomment-1630782498

konovod avatar Jul 31 '23 10:07 konovod