Inconsistent handling of multiple slashes in path

[mikeharder]

StaticFiles is inconsistent with handling of multiple slashes in a path. It appears to be allowed inside a path, but not at the start.

http://host/foo/bar.html  -> 200

http://host//foo/bar.html -> 404

http://host/foo//bar.html -> 200

It should be either allowed or disallowed in all parts of the path.

[Tratcher]

Is this actually caused by static files logic, or is it physical file provider? Embedded file provider will be different.

[muratg]

@JunTaoLuo Could you investigate?

[JunTaoLuo]

Our checks for rooted paths in the physical file provider is preventing the request from being resolved. https://github.com/aspnet/FileSystem/blob/dev/src/Microsoft.Extensions.FileProviders.Physical/PhysicalFileProvider.cs#L201
If we encounter a path that begins with a forward slash, we strip the first slash. However, if you have two, we only strip the first one and the rest is interpreted as an absolute path which we do not allow for security reasons. Maybe we can trim all leading forward slashes? Is there a reason we are not doing that?

[muratg]

@JunTaoLuo I think that's a good idea. Would that break anything that you can think of?

[JunTaoLuo]

I can't think of any breaks that would be caused by trimming multiple leading slashes. Any concerns @Tratcher? Security especially?

[Tratcher]

Try it with the StaticFiles tests. Also try it on unix.
@blowdart?

[JunTaoLuo]

Tests run fine and I've tested with the static files on core, full framework and core on osx.

[blowdart]

What about trying to escape out of the static file root?