aniani/gophernicus
1
0
Fork 0
mirror of https://github.com/gophernicus/gophernicus.git synced 2025-02-02 15:08:00 -05:00
Code

Search strings were being urldecoded against the specs (bugreport from Kacper Gutowski)

Browse Source
This commit is contained in:
Kim Holviala 2014-01-25 11:45:30 +02:00
parent ae960ab8ce
commit 50a8d5e798
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
gophernicus.c
View File

@ -547,12 +547,12 @@ int main(int argc, char *argv[])
#endif #endif
platform(&st); platform(&st);
/* Read selector, remove CRLF & encodings */ /* Read selector */
if (fgets(selector, sizeof(selector) - 1, stdin) == NULL) if (fgets(selector, sizeof(selector) - 1, stdin) == NULL)
selector[0] = '\0'; selector[0] = '\0';
/* Remove trailing CRLF */
chomp(selector); chomp(selector);
strndecode(selector, selector, sizeof(selector));
if (st.debug) syslog(LOG_INFO, "client sent us \"%s\"", selector); if (st.debug) syslog(LOG_INFO, "client sent us \"%s\"", selector);
@ -626,6 +626,9 @@ int main(int argc, char *argv[])
} }
*dest = '\0'; *dest = '\0';
/* Remove encodings from selector */
strndecode(st.req_selector, st.req_selector, sizeof(st.req_selector));
/* Deny requests for Slashdot and /../ hackers */ /* Deny requests for Slashdot and /../ hackers */
if (strstr(st.req_selector, "/.")) if (strstr(st.req_selector, "/."))
die(&st, ERR_ACCESS, "Refusing to serve out dotfiles"); die(&st, ERR_ACCESS, "Refusing to serve out dotfiles");