Big Security Issue! StaticFilesModule allows access to ANY file on harddrive.

[MarcusWichelmann]

There is a very big security flaw in the StaticFilesModule class because of the use of Path.combine().
See: https://github.com/unosquare/embedio/blob/master/src/Unosquare.Labs.EmbedIO/Modules/StaticFilesModule.cs#L212
This method returns only the second (user-defined) parameter when the second parameter is something like C:/.... Thanks to this it's possible to download more or less any file that's stored on the pc the webserver runs on which is very bad.

Also see this stackoverflow-answer, where I've posted further information: http://stackoverflow.com/questions/1321466/securely-enforcing-user-input-file-paths-within-subdirectories/42543716#42543716

Sample code:

WebServer server = new WebServer(5555);
server.RegisterModule(new StaticFilesModule("R:/HTML/"));
server.Module<StaticFilesModule>().UseGzip = true;
server.Module<StaticFilesModule>().UseRamCache = false;

For example it's possible to download a list of all recently used FileZilla credentials this way:

[mariodivece]

@geoperez Could you please udate the Nuget package?

[MarcusWichelmann]

Thank you for the fix, that was fast. 😄

[geoperez]

New nuget published. Closing issue.