http.c: Fix attack vector on PUT requests

Without the fix, a malicious user could perform a large number of PUT requests to any endpoint, regardless of being correct or not, so that libweb would allocate a large number of temporary files without removing them, eventually exhausting the system resources.
author: Xavier Del Campo Romero <xavi92@disroot.org> 2026-02-09 00:29:49 +0100
committer: Xavier Del Campo Romero <xavi92@disroot.org> 2026-02-09 00:35:22 +0100
commit: 424e46f5408776cd36d8258d3cbffa55acf56cc7 (patch)
tree: 6f801587fe2a39f6e805e987e678fe5864d0e015 /http.c
parent: d85032afdc75eaba775c90a7943a24b4c1f6383c (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/http.c b/http.c
index 6410192..806171d 100644
--- a/http.c
+++ b/http.c
@@ -649,7 +649,11 @@ static void ctx_free(struct ctx *const c)
             fprintf(stderr, "%s: fclose(3) p->f: %s\n",
                 __func__, strerror(errno));
 
-        free(c->u.put.tmpname);
+        if (p->tmpname && remove(p->tmpname) && errno != ENOENT)
+                fprintf(stderr, "%s: remove(3) %s: %s\n",
+                    __func__, p->tmpname, strerror(errno));
+
+        free(p->tmpname);
     }
 
     free(c->field);
author	Xavier Del Campo Romero <xavi92@disroot.org>	2026-02-09 00:29:49 +0100
committer	Xavier Del Campo Romero <xavi92@disroot.org>	2026-02-09 00:35:22 +0100
commit	424e46f5408776cd36d8258d3cbffa55acf56cc7 (patch)
tree	6f801587fe2a39f6e805e987e678fe5864d0e015 /http.c
parent	d85032afdc75eaba775c90a7943a24b4c1f6383c (diff)