(trunk libT) better filtering of maliciously-crafted URLs when serving web interface files
This commit is contained in:
parent
2b8f8166bd
commit
f00c152315
|
@ -357,20 +357,25 @@ handle_clutch( struct evhttp_request * req,
|
|||
{
|
||||
char * pch;
|
||||
char * subpath;
|
||||
char * filename;
|
||||
|
||||
subpath = tr_strdup( req->uri + 18 );
|
||||
if(( pch = strchr( subpath, '?' )))
|
||||
*pch = '\0';
|
||||
|
||||
filename = tr_strdup_printf( "%s%s%s",
|
||||
clutchDir,
|
||||
TR_PATH_DELIMITER_STR,
|
||||
subpath && *subpath ? subpath : "index.html" );
|
||||
if( strstr( subpath, ".." ) )
|
||||
{
|
||||
send_simple_response( req, HTTP_NOTFOUND, "<p>Tsk, tsk.</p>" );
|
||||
}
|
||||
else
|
||||
{
|
||||
char * filename = tr_strdup_printf( "%s%s%s",
|
||||
clutchDir,
|
||||
TR_PATH_DELIMITER_STR,
|
||||
subpath && *subpath ? subpath : "index.html" );
|
||||
serve_file( req, server, filename );
|
||||
tr_free( filename );
|
||||
}
|
||||
|
||||
serve_file( req, server, filename );
|
||||
|
||||
tr_free( filename );
|
||||
tr_free( subpath );
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue