The StaticFileRouter can access file in the immediate parent directory if the
client sends a specially crafted, non RFC conforming HTTP 1.x request. By
sending a HTTP request without a "/" predicating the path. The StaticFileRouter
fails to detect directory traversal since it checks for "/../" in the path.
This PR fixes the issue by detecting if there's potential for directory
traversal. If true, we follow the path and detect if it reaches out of the
document root at any point. Also added 2 new tests for edge cases in static
file serving. (Not related to the bug).
Co-authored-by: an-tao <antao2002@gmail.com>
Bug discovered by: oToToT <https://github.com/oToToT>
It is possible for the CacheMap to destruct while timeout callback is
active. This causes a very rare data race. And it's my hypothesis that
this is the reason behind CacheMap crashes on CI. This patch locks the
weels upon cestructing.
* app().registerHttpHandler() accepts coroutine as handlers
* HttpController can use coroutine as handlers'
* Http request handlers with coroutine catches exception instead of crashing the entire app
* DbClient now has execSqlCoro that is awaitable
* DbClient now has newTransactionCoro that is awaitable
* HttpClient have awaitable sendRequestCoro
* WebSocketClient have awaitable connectToServerCoro
* WebSocketClient have setAsyncMessageHandler and setAsyncConnectionClosedHandler
* drogon::AsyncTask and drogon::Task<T> as our corutine types
* Related tests
* Misc
Future work
* Coroutine for WebSocket server
* Known issues
co_future() and sync_wait may crash. It looks like GCC bug but I'm not sure.
Workarround: Make an coroutine of AsyncTask. Then launch said coroutine.
Not sure why wrapping the exact same thing in function crashes things.
Co-authored-by: an-tao <antao2002@gmail.com>
