(trunk libT) better filtering of maliciously-crafted URLs when serving web interface files

This commit is contained in:
Charles Kerr 2009-04-10 15:09:31 +00:00
parent 2b8f8166bd
commit f00c152315
1 changed files with 13 additions and 8 deletions

View File

@ -357,20 +357,25 @@ handle_clutch( struct evhttp_request * req,
{
char * pch;
char * subpath;
char * filename;
subpath = tr_strdup( req->uri + 18 );
if(( pch = strchr( subpath, '?' )))
*pch = '\0';
filename = tr_strdup_printf( "%s%s%s",
clutchDir,
TR_PATH_DELIMITER_STR,
subpath && *subpath ? subpath : "index.html" );
if( strstr( subpath, ".." ) )
{
send_simple_response( req, HTTP_NOTFOUND, "<p>Tsk, tsk.</p>" );
}
else
{
char * filename = tr_strdup_printf( "%s%s%s",
clutchDir,
TR_PATH_DELIMITER_STR,
subpath && *subpath ? subpath : "index.html" );
serve_file( req, server, filename );
tr_free( filename );
}
serve_file( req, server, filename );
tr_free( filename );
tr_free( subpath );
}
}