frodovdr/octonet
1
0
Fork 0
mirror of https://github.com/DigitalDevices/octonet.git synced 2023-10-10 13:36:52 +02:00
Code Issues Releases Wiki Activity

do not allow any .. in requested file name

Browse Source
This commit is contained in:
Ralph Metzler 2018-03-14 10:08:37 +01:00
parent 7b9c4f9ee8
commit e85ca1478b
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
octoserve/http.c
View File

@ -107,7 +107,7 @@ void send_http_file(int sock, char *fn)
uint8_t buf[1024]; uint8_t buf[1024];
int len, len2, fd; int len, len2, fd;
char fn2[1024] = { 0 }, *d, **m; char fn2[1024] = { 0 }, *d, **m;
strcat(fn2, "/var/satip"); strcat(fn2, "/var/satip");
strcat(fn2, fn); strcat(fn2, fn);
d = strrchr(fn, '.'); d = strrchr(fn, '.');
@ -561,7 +561,8 @@ void handle_http(struct os_ssdp *ss)
while (buf[j] && buf[j] != '\r' && buf[j] != ' ') while (buf[j] && buf[j] != '\r' && buf[j] != ' ')
j++; j++;
buf[j] = 0; buf[j] = 0;
if (i == j) { if (i == j ||
(NULL !=strstr(buf + i, ".."))) {
send_http_error(ss->csock, 404); send_http_error(ss->csock, 404);
break; break;
} }