main.c: Reject invalid /public/ requests
Otherwise: - slcl would accept /public/ (i.e., without a file name) as a valid resource. This would incorrectly map the public/ directory on the database, making slcl to return -1 because public/ is not a regular file. - slcl would accept directory names (e.g.: /public/dir/), which is never expected since slcl stores all public files into a single directory.
This commit is contained in:
parent
b7f232366c
commit
afc5cf0dfc
10
main.c
10
main.c
|
@ -429,7 +429,8 @@ static int getpublic(const struct http_payload *const p,
|
|||
{
|
||||
int ret = -1;
|
||||
struct auth *const a = user;
|
||||
const char *const adir = auth_dir(a);
|
||||
const char *const adir = auth_dir(a),
|
||||
*const file = p->resource + strlen("/public/");
|
||||
struct dynstr d;
|
||||
|
||||
dynstr_init(&d);
|
||||
|
@ -439,6 +440,13 @@ static int getpublic(const struct http_payload *const p,
|
|||
fprintf(stderr, "%s: auth_dir failed\n", __func__);
|
||||
goto end;
|
||||
}
|
||||
else if (!*file || filename_invalid(file))
|
||||
{
|
||||
fprintf(stderr, "%s: invalid filename %s\n",
|
||||
__func__, p->resource);
|
||||
ret = page_forbidden(r);
|
||||
goto end;
|
||||
}
|
||||
else if (path_invalid(p->resource))
|
||||
{
|
||||
fprintf(stderr, "%s: illegal relative path %s\n",
|
||||
|
|
Loading…
Reference in New Issue