From 68a376b7de89efe69cd304fc5877cf849e820d7f Mon Sep 17 00:00:00 2001
From: Stavros Polymenis <sp@orbitalfox.com>
Date: Wed, 7 Sep 2016 22:27:08 +0100
Subject: [PATCH] path sanitisation

---
 src/web.ml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/web.ml b/src/web.ml
index dea9918..558dcd9 100644
--- a/src/web.ml
+++ b/src/web.ml
@@ -1,23 +1,27 @@
-open Opium.Std
-
 let load_file f =
   let ic = open_in f in
   let n = in_channel_length ic in
-  let s = String.create n in
+  let s = Bytes.create n in
   really_input ic s 0 n;
   close_in ic;
   (s)
 
+open Opium.Std
+
+let sanitised_path path =
+  let parent = Str.regexp "\.\./" in
+  Str.global_replace parent "" path
+
 let print_css =
   get "/style.css"
       begin
         fun req -> `String (load_file "ymd/style.css") |> respond'
       end
-    
+
 let print_ymd =
   get "/:title"
       begin fun req ->
-      let filename = String.map (fun c -> if '/' = c then '_' else c) (param req "title") in
+      let filename = sanitised_path (param req "title") in
       let filepath = "ymd/" ^ filename ^ ".ymd" in
       `Html (Html.html_of (Logarion.ymd (load_file filepath))) |> respond'
       end