security fix: Under Windows, you can jump out of the serve dir to acc…

…ess any file on the server

crates/serve-static/src/dir.rs

@@ -322,6 +322,10 @@ impl Handler for StaticDir {
         if self.include_dot_files || !is_dot_file {
             for root in &self.roots {
                 let raw_path = join_path!(root, &rel_path);
+                // Security check to ensure that the accessed path is a subpath of the current root path.
+                if !Path::new(&raw_path).starts_with(root) {
+                    continue;
+                }
                 for filter in &self.exclude_filters {
                     if filter(&raw_path) {
                         continue;

crates/serve-static/src/lib.rs

@@ -59,7 +59,7 @@ pub(crate) fn format_url_path_safely(path: &str) -> String {
     let final_slash = if path.ends_with('/') { "/" } else { "" };
     let mut used_parts = Vec::with_capacity(8);
     for part in path.split(['/', '\\']) {
-        if part.is_empty() || part == "." {
+        if part.is_empty() || part == "." || (cfg!(windows) && part.contains(':')) {
             continue;
         } else if part == ".." {
             used_parts.pop();