commit 2139527df7a43866de1c91ac040db890d0a03a86
parent 70e945afb7fa16c063917e37700653a7d796ccad
Author: Joris Vink <joris@coders.se>
Date: Thu, 28 Jun 2018 15:28:25 +0200
run path via http_argument_urldecode().
Diffstat:
1 file changed, 10 insertions(+), 0 deletions(-)
diff --git a/src/filemap.c b/src/filemap.c
@@ -134,6 +134,16 @@ filemap_serve(struct http_request *req, struct filemap_entry *map)
return;
}
+ if (!http_argument_urldecode(fpath)) {
+ http_response(req, HTTP_STATUS_BAD_REQUEST, NULL, 0);
+ return;
+ }
+
+ if (strstr(fpath, "..")) {
+ http_response(req, HTTP_STATUS_NOT_FOUND, NULL, 0);
+ return;
+ }
+
if ((ref = kore_fileref_get(fpath)) == NULL) {
if ((fd = open(fpath, O_RDONLY | O_NOFOLLOW)) == -1) {
switch (errno) {
