diff options
| author | Roland Reichwein <mail@reichwein.it> | 2020-05-16 10:41:37 +0200 |
|---|---|---|
| committer | Roland Reichwein <mail@reichwein.it> | 2020-05-16 10:41:37 +0200 |
| commit | 075edf82947b5f512cb013f9c071501db3955a82 (patch) | |
| tree | 84dc2c8dbfeb02509c32fe33277a056a052d2ade /plugins | |
| parent | 7782a10080749d7dc1b094502387ae9b2d972686 (diff) | |
Bugfix: Statically serve only files with '?...' queries stripped off
Diffstat (limited to 'plugins')
| -rw-r--r-- | plugins/static-files/static-files.cpp | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/plugins/static-files/static-files.cpp b/plugins/static-files/static-files.cpp index 3f1c63a..345cf56 100644 --- a/plugins/static-files/static-files.cpp +++ b/plugins/static-files/static-files.cpp @@ -76,9 +76,17 @@ std::string static_files_plugin::generate_page( if (method != "GET" && method != "HEAD") return HttpStatus("400", "Unknown HTTP method", SetResponseHeader); - // Request path must not contain "..". - std::string rel_target{GetRequestParam("rel_target")}; std::string target{GetRequestParam("target")}; + size_t pos{target.find('?')}; + if (pos != target.npos) + target = target.substr(0, pos); + + std::string rel_target{GetRequestParam("rel_target")}; + pos = rel_target.find('?'); + if (pos != rel_target.npos) + rel_target = rel_target.substr(0, pos); + + // Request path must not contain "..". if (rel_target.find("..") != std::string::npos) { return HttpStatus("400", "Illegal request: "s + target, SetResponseHeader); } @@ -97,7 +105,7 @@ std::string static_files_plugin::generate_page( try { return getFile(path); } catch (const std::runtime_error& ex) { - return HttpStatus("404", "Not found: "s + GetRequestParam("target"), SetResponseHeader); + return HttpStatus("404", "Not found: "s + target, SetResponseHeader); } catch (const std::exception& ex) { return HttpStatus("500", "Internal Server Error: "s + ex.what(), SetResponseHeader); } |