Ensure zola serve only reads from the public dir

CHANGELOG.md

@@ -7,8 +7,9 @@
 - Support custom syntax highlighting themes
 - Add a `required` argument to taxonomy template functions to allow them to return empty taxonomies
 - Support colocating subfolders
-- shorcodes and `anchor-link.html` can now access the `lang` context
+- Shorcodes and `anchor-link.html` can now access the `lang` context
 - Add prompt before replacing the output directory with `zola build` if the `output-dir` flag is given
+- Shortcode handling has been completely rewritten, solving many issues
 
 ## 0.14.1 (2021-08-24)
 

src/cmd/serve.rs

@@ -73,6 +73,7 @@ static NOT_FOUND_TEXT: &[u8] = b"Not Found";
 const LIVE_RELOAD: &str = include_str!("livereload.js");
 
 async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Response<Body>> {
+    let original_root = root.clone();
     let mut path = RelativePathBuf::new();
     // https://zola.discourse.group/t/percent-encoding-for-slugs/736
     let decoded = match percent_encoding::percent_decode_str(req.uri().path()).decode_utf8() {
@@ -112,6 +113,11 @@ async fn handle_request(req: Request<Body>, mut root: PathBuf) -> Result<Respons
     // otherwise `PathBuf` will interpret it as an absolute path
     root.push(&decoded[1..]);
 
+    // Ensure we are only looking for things in our public folder
+    if !root.starts_with(original_root) {
+        return Ok(not_found());
+    }
+
     let metadata = match tokio::fs::metadata(root.as_path()).await {
         Err(err) => return Ok(io_error(err)),
         Ok(metadata) => metadata,