xavi
/
slcl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 3 Wiki Activity

main.c: Reject invalid /public/ requests 

Otherwise:

- slcl would accept /public/ (i.e., without a file name) as a valid
resource. This would incorrectly map the public/ directory on the
database, making slcl to return -1 because public/ is not a regular
file.

- slcl would accept directory names (e.g.: /public/dir/), which is never
expected since slcl stores all public files into a single directory.
This commit is contained in:
Xavier Del Campo Romero 2024-02-20 08:18:11 +01:00
parent b7f232366c
commit afc5cf0dfc
Signed by: xavi
GPG Key ID: 84FF3612A9BF43F2
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
main.c
View File

@ -429,7 +429,8 @@ static int getpublic(const struct http_payload *const p,
{
int ret = -1;
struct auth *const a = user;
const char *const adir = auth_dir(a);
const char *const adir = auth_dir(a),
*const file = p->resource + strlen("/public/");
struct dynstr d;
dynstr_init(&d);
@ -439,6 +440,13 @@ static int getpublic(const struct http_payload *const p,
fprintf(stderr, "%s: auth_dir failed\n", __func__);
goto end;
}
else if (!*file || filename_invalid(file))
{
fprintf(stderr, "%s: invalid filename %s\n",
__func__, p->resource);
ret = page_forbidden(r);
goto end;
}
else if (path_invalid(p->resource))
{
fprintf(stderr, "%s: illegal relative path %s\n",