diff options
| -rw-r--r-- | main.c | 10 |
1 files changed, 9 insertions, 1 deletions
@@ -429,7 +429,8 @@ static int getpublic(const struct http_payload *const p, { int ret = -1; struct auth *const a = user; - const char *const adir = auth_dir(a); + const char *const adir = auth_dir(a), + *const file = p->resource + strlen("/public/"); struct dynstr d; dynstr_init(&d); @@ -439,6 +440,13 @@ static int getpublic(const struct http_payload *const p, fprintf(stderr, "%s: auth_dir failed\n", __func__); goto end; } + else if (!*file || filename_invalid(file)) + { + fprintf(stderr, "%s: invalid filename %s\n", + __func__, p->resource); + ret = page_forbidden(r); + goto end; + } else if (path_invalid(p->resource)) { fprintf(stderr, "%s: illegal relative path %s\n", |