diff options
author | Matthew Wild <mwild1@gmail.com> | 2009-09-11 03:12:09 +0100 |
---|---|---|
committer | Matthew Wild <mwild1@gmail.com> | 2009-09-11 03:12:09 +0100 |
commit | d8d4b7409ce9b0c63b55c49fe62b29eb1b7e1885 (patch) | |
tree | 0db10678ef644c9eee94777bce403787e08d246f | |
parent | c1e71bdec84a2ac4c5ab5bca75854a9e36464612 (diff) | |
download | prosody-d8d4b7409ce9b0c63b55c49fe62b29eb1b7e1885.tar.gz prosody-d8d4b7409ce9b0c63b55c49fe62b29eb1b7e1885.zip |
mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
-rw-r--r-- | plugins/mod_httpserver.lua | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/plugins/mod_httpserver.lua b/plugins/mod_httpserver.lua index a8639281..55ac3c7a 100644 --- a/plugins/mod_httpserver.lua +++ b/plugins/mod_httpserver.lua @@ -11,14 +11,19 @@ local httpserver = require "net.httpserver"; local open = io.open; local t_concat = table.concat; +local check_http_path; local http_base = "www_files"; +local response_403 = { status = "403 Forbidden", body = "<h1>Invalid URL</h1>Sorry, we couldn't find what you were looking for :(" }; local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" }; local http_path = { http_base }; local function handle_request(method, body, request) - local path = request.url.path:gsub("%.%.%/", ""):gsub("^/[^/]+", ""); + local path = check_http_path(request.url.path:gsub("^/[^/]+%.*", "")); + if not path then + return response_403; + end http_path[2] = path; local f, err = open(t_concat(http_path), "r"); if not f then return response_404; end @@ -29,3 +34,22 @@ end local ports = config.get(module.host, "core", "http_ports") or { 5280 }; httpserver.new_from_config(ports, "files", handle_request); + +function check_http_path(url) + if url:sub(1,1) ~= "/" then + url = "/"..url; + end + + local level = 0; + for part in url:gmatch("%/([^/]+)") do + if part == ".." then + level = level - 1; + elseif part ~= "." then + level = level + 1; + end + if level < 0 then + return nil; + end + end + return url; +end |