frodovdr
/
octonet
mirror of https://github.com/DigitalDevices/octonet.git
1
0
Fork 0
Code Issues Releases Wiki Activity

do not allow any .. in requested file name

This commit is contained in:
Ralph Metzler 2018-03-14 10:08:37 +01:00
parent 7b9c4f9ee8
commit e85ca1478b
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
octoserve/http.c
View File

@ -107,7 +107,7 @@ void send_http_file(int sock, char *fn)
uint8_t buf[1024];
int len, len2, fd;
char fn2[1024] = { 0 }, *d, **m;
strcat(fn2, "/var/satip");
strcat(fn2, fn);
d = strrchr(fn, '.');
@ -561,7 +561,8 @@ void handle_http(struct os_ssdp *ss)
while (buf[j] && buf[j] != '\r' && buf[j] != ' ')
j++;
buf[j] = 0;
if (i == j) {
if (i == j ||
(NULL !=strstr(buf + i, ".."))) {
send_http_error(ss->csock, 404);
break;
}