From e6f44928662a68e752da218514085e8d8b039dae Mon Sep 17 00:00:00 2001
From: =?utf8?q?Alexis=20Laferri=C3=A8re?= <alexis.laf@xymus.net>
Date: Tue, 8 Dec 2015 08:28:48 -0500
Subject: [PATCH] contrib/nitiwiki: use absolute paths to detect access
 outside the source dir
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: Alexis Laferrière <alexis.laf@xymus.net>
---
 contrib/nitiwiki/src/wiki_edit.nit |   10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/contrib/nitiwiki/src/wiki_edit.nit b/contrib/nitiwiki/src/wiki_edit.nit
index 22faa25..7dd6012 100644
--- a/contrib/nitiwiki/src/wiki_edit.nit
+++ b/contrib/nitiwiki/src/wiki_edit.nit
@@ -94,7 +94,10 @@ class EditAction
 		var file_path = turi.strip_leading_slash
 		file_path = wiki_root / file_path
 
-		if not file_path.simplify_path.has_prefix(source_dir) then
+		var abs_file_path = file_path.to_absolute_path
+		var abs_source_dir = source_dir.to_absolute_path
+
+		if not abs_file_path.has_prefix(abs_source_dir) then
 			# Attempting to access a file outside the source directory
 			var entity = new WikiEditForm(wiki, turi.strip_leading_slash,
 				"Access denied: ", "", "<p>Target outside of the source directory</p>")
@@ -166,6 +169,11 @@ redef class String
 		if has_prefix("/") then return substring_from(1)
 		return self
 	end
+
+	private fun to_absolute_path: String
+	do
+		return (getcwd / self).simplify_path
+	end
 end
 
 var config_file_path = "config.ini"
-- 
1.7.9.5