Remove dependency on deprecated system-filepath

[hololeap]

This patch removes system-filepath and tries to replace any existing functionality that that package provides.

system-filepath has been deprecated in favor of filepath:
https://hackage.haskell.org/package/system-filepath

[hololeap]

The ability to resolve "/var/uploads/" </> "../uploads/home/../etc/passwd" to "/var/uploads/etc/passwd" has been removed from filepath.

How to implement combineSafe without the deprecated system-filepath package?

This patch is an attempt to address this question.

[hololeap]

I added a test for the combineSafe function, which is passing with this patch.

[ysangkok]

I tried the patch on Linux and it seems to work as expected. I used this:

main = simpleHTTP nullConf $ look "path" >>= serveFileFrom "/tmp" (asContentType "text/plain")

I noticed that combineSafe accepts trailing null bytes, that have no effect. But I guess that isn't really a problem.

I also tried testing it on Windows (wanted to see what happens if I read a pseudo-file like con), but that currently can't be done since the build of sendfile is broken:

[4 of 7] Compiling Network.Socket.SendFile.Win32 (
dist\build\Network\Socket\SendFile\Win32.hs,
dist\build\Network\Socket\SendFile\Win32.o )

src\Network\Socket\SendFile\Win32.hsc:103:1: error:
* Unacceptable result type in foreign declaration:
`IntPtr' cannot be marshalled in a foreign call
because its data constructor is not in scope
Possible fix: import the data constructor to bring it into scope
* When checking declaration:
foreign import ccall unsafe "io.h _get_osfhandle" c_get_osfhandle
:: Fd -> IO IntPtr
|
103 | foreign import ccall unsafe "io.h _get_osfhandle"
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...
cabal.exe: Failed to build sendfile-0.7.11.1 (which is required by
happstack-server-7.7.1). See the build log above for details.

So I think this looks good. Why is it marked as a draft @hololeap ?

[hololeap]

I am also looking at what is keeping turtle from migrating away from system-filepath. I want to hold off until I get a better understanding of what's happening, as there could be some development that will get wrapped into this PR as well.

[hololeap]

I noticed that combineSafe accepts trailing null bytes, that have no effect. But I guess that isn't really a problem.

What exactly was the input you were giving it, and what was the behavior you expected?

[ysangkok]

@hololeap With this server simpleHTTP nullConf $ serveFileFrom "/tmp" (asContentType "text/plain") $ "donkey.txt" <> concat (replicate 100000 "\x00") and a file in /tmp/donkey.txt, you can do curl localhost:8000 and you get no error. Since serveFileFrom is supposed to accept untrusted input, the replicated bytes that are passed in could have been supplied by the user.

On the other hand, I guess it isn't causing any trouble in this concrete example. I'm more worried about pseudo-files on Windows. But I guess we could also just remove Windows support, I doubt anybody uses it.

[stepcut]

Thanks for getting the ball rolling on this! Would definitely like to pull it into main once the issues are worked out.

[hololeap]

Go ahead and pull this if it seems good. There doesn't seem to be much activity regarding Gabriella439/turtle#54.