From 424e46f5408776cd36d8258d3cbffa55acf56cc7 Mon Sep 17 00:00:00 2001
From: Xavier Del Campo Romero <xavi92@disroot.org>
Date: Mon, 9 Feb 2026 00:29:49 +0100
Subject: http.c: Fix attack vector on PUT requests

Without the fix, a malicious user could perform a large number of PUT
requests to any endpoint, regardless of being correct or not, so that
libweb would allocate a large number of temporary files without removing
them, eventually exhausting the system resources.
---
 http.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'http.c')

diff --git a/http.c b/http.c
index 6410192..806171d 100644
--- a/http.c
+++ b/http.c
@@ -649,7 +649,11 @@ static void ctx_free(struct ctx *const c)
             fprintf(stderr, "%s: fclose(3) p->f: %s\n",
                 __func__, strerror(errno));
 
-        free(c->u.put.tmpname);
+        if (p->tmpname && remove(p->tmpname) && errno != ENOENT)
+                fprintf(stderr, "%s: remove(3) %s: %s\n",
+                    __func__, p->tmpname, strerror(errno));
+
+        free(p->tmpname);
     }
 
     free(c->field);
-- 
cgit v1.2.3