From 075edf82947b5f512cb013f9c071501db3955a82 Mon Sep 17 00:00:00 2001 From: Roland Reichwein Date: Sat, 16 May 2020 10:41:37 +0200 Subject: Bugfix: Statically serve only files with '?...' queries stripped off --- plugins/static-files/static-files.cpp | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'plugins') diff --git a/plugins/static-files/static-files.cpp b/plugins/static-files/static-files.cpp index 3f1c63a..345cf56 100644 --- a/plugins/static-files/static-files.cpp +++ b/plugins/static-files/static-files.cpp @@ -76,9 +76,17 @@ std::string static_files_plugin::generate_page( if (method != "GET" && method != "HEAD") return HttpStatus("400", "Unknown HTTP method", SetResponseHeader); - // Request path must not contain "..". - std::string rel_target{GetRequestParam("rel_target")}; std::string target{GetRequestParam("target")}; + size_t pos{target.find('?')}; + if (pos != target.npos) + target = target.substr(0, pos); + + std::string rel_target{GetRequestParam("rel_target")}; + pos = rel_target.find('?'); + if (pos != rel_target.npos) + rel_target = rel_target.substr(0, pos); + + // Request path must not contain "..". if (rel_target.find("..") != std::string::npos) { return HttpStatus("400", "Illegal request: "s + target, SetResponseHeader); } @@ -97,7 +105,7 @@ std::string static_files_plugin::generate_page( try { return getFile(path); } catch (const std::runtime_error& ex) { - return HttpStatus("404", "Not found: "s + GetRequestParam("target"), SetResponseHeader); + return HttpStatus("404", "Not found: "s + target, SetResponseHeader); } catch (const std::exception& ex) { return HttpStatus("500", "Internal Server Error: "s + ex.what(), SetResponseHeader); } -- cgit v1.2.3