Allow directory handler to serve files containing '..'

[kanongil]

Currently, any path containing the characters .. will result in a Boom.forbidden() response.

While this prevents serving files from unauthorized directories, it seems rather excessive and counter-intuitive. For instance this prevents misc..txt from being served.

[hueniverse]

Is this really a use case? preventing '..' is a security feature, and an important one. I know it can be implemented in a more restrictive way, but I don't see how this is worth the complexity. So, is this really a use case?

[kanongil]

It is not really an issue on my end, though I do feel that it breaks the implicit contract of a directory handler by refusing to serve certain files. An alternative fix could be to clearly document this behavior.

[hueniverse]

@geek any thoughts on this?

[kanongil]

If we use the premise that all files within the configured paths have the same access level, we could ensure that it will never serve files from outside these by:

1. Determining the normalized path with Path.join(fileDir, pathComponents)
2. Validate that the resulting string has fileDir as a prefix.

That should take care of most the security concerns, right?

[hueniverse]

Yep.