Fix directory traversal bug (#4341)
Refuse to serve an URL containing `../`.
This commit is contained in:
parent
31a8d017d9
commit
85006d10f5
@ -375,14 +375,13 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Remove all "../" strings:
|
|
||||||
ReplaceString(FileURL, "../", "");
|
|
||||||
|
|
||||||
// Read the file contents and guess its mime-type, based on the extension:
|
// Read the file contents and guess its mime-type, based on the extension:
|
||||||
AString Content = "<h2>404 Not Found</h2>";
|
AString Content = "<h2>404 Not Found</h2>";
|
||||||
AString ContentType;
|
AString ContentType = "text/html";
|
||||||
AString Path = Printf(FILE_IO_PREFIX "webadmin/files/%s", FileURL.c_str());
|
AString Path = Printf(FILE_IO_PREFIX "webadmin/files/%s", FileURL.c_str());
|
||||||
if (cFile::IsFile(Path))
|
|
||||||
|
// Return 404 if the file is not found, or the URL contains '../' (for security reasons)
|
||||||
|
if ((FileURL.find("../") == AString::npos) && cFile::IsFile(Path))
|
||||||
{
|
{
|
||||||
cFile File(Path, cFile::fmRead);
|
cFile File(Path, cFile::fmRead);
|
||||||
AString FileContent;
|
AString FileContent;
|
||||||
@ -395,10 +394,10 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc
|
|||||||
ContentType = GetContentTypeFromFileExt(Path.substr(LastPointPosition + 1));
|
ContentType = GetContentTypeFromFileExt(Path.substr(LastPointPosition + 1));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
if (ContentType.empty())
|
||||||
if (ContentType.empty())
|
{
|
||||||
{
|
ContentType = "application/unknown";
|
||||||
ContentType = "application/unknown";
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Send the response:
|
// Send the response:
|
||||||
|
Loading…
Reference in New Issue
Block a user