Germinal v0.2.0 update

[solderpunk]

On Mon, Jun 15, 2020 at 06:55:33AM -0400, Jason McBrayer wrote:
> Sure. Originally, I took a very simplistic approach, just eating '../'
> whenever I saw it in a request. Unfortunately, it didn't handle a bare
> '..', which meant the parent directory of the document root was
> listable. Worse, you could construct a request like
> gemini://my.site/.../...//.../...//etc/passwd to get whatever you
> wanted, as long as it was locally world-readable.
> 
> The fix normalizes all pathnames before looking for files, and it checks
> that the resulting path is under the document root. I pulled in a
> library to help with this, which I originally wanted to avoid, but
> pathname handling in Common Lisp is pretty weird, and I felt the library
> (ppath) was worth it.

Thanks for sharing this!  A good cautionary tale for people quickly
throwing together servers.

For what it's worth, if Molly Brown detects even a single ".." in a
request URL anywhere it immediately returns:

"50 Your directory traversal technique has been defeated!\r\n"

without even consulting the filesystem. :)  Just not worth the risk of
trying to get it right, IMHO.  Even then, I *still* explicitly check
the resultant filesystem path is under the document root, and also
explicitly check that it is not equal to the server access log or the
TLS cert or key files (which should never inside the document root,
but better safe than sorry!).

Cheers,
Solderpunk