remove '../' after percent decoding
This commit is contained in:
parent
46f2c7238a
commit
bc306eaf8a
2
main.c
2
main.c
|
@ -58,6 +58,8 @@ main(int argc, char **argv)
|
|||
uridecode(query);
|
||||
uridecode(path);
|
||||
|
||||
rmdbldot(path);
|
||||
|
||||
/* is it cgi ? */
|
||||
if (*cgi_dir)
|
||||
if (do_cgi(chroot_dir, cgi_dir, path, hostname, query) == 0)
|
||||
|
|
16
vger.c
16
vger.c
|
@ -327,11 +327,6 @@ cgi(const char *cgicmd)
|
|||
char *
|
||||
read_request(char *request)
|
||||
{
|
||||
/*
|
||||
* read the request, check for errors and sanitize the input
|
||||
*/
|
||||
char *pos = NULL;
|
||||
|
||||
/* read 1024 +1 chars from stdin to get the request (1024 + \0) */
|
||||
|
||||
if (fgets(request, GEMINI_REQUEST_MAX, stdin) == NULL) {
|
||||
|
@ -359,11 +354,18 @@ read_request(char *request)
|
|||
/* save request for logs */
|
||||
esnprintf(_request, sizeof(_request), "%s", request);
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
rmdbldot(char *request)
|
||||
{
|
||||
char *pos = NULL;
|
||||
|
||||
/* remove all "/.." for safety reasons */
|
||||
while ((pos = strstr(request, "/..")) != NULL)
|
||||
memmove(request, pos + 3, strlen(pos) + 1 - 3); /* "/.." = 3 */
|
||||
|
||||
return request;
|
||||
}
|
||||
|
||||
char *
|
||||
|
|
1
vger.h
1
vger.h
|
@ -46,6 +46,7 @@ void check_path(char *, size_t, int, size_t);
|
|||
ssize_t display_file(const char *);
|
||||
int do_cgi(const char *, const char *, const char *, const char *, const char *);
|
||||
void drop_privileges(const char *, const char *, const char *);
|
||||
void rmdbldot(char *);
|
||||
char * set_path(char *, size_t, int, const char *);
|
||||
void split_request(const char *, char *, char *, char *);
|
||||
void status(const int, const char *, ...);
|
||||
|
|
Loading…
Reference in New Issue