mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-09 00:00:04 +01:00
uri processing reject paths not starting with slash
https://github.com/warmcat/libwebsockets/issues/481 Return 403 Forbidden if we don't end up with a uri path starting with / Signed-off-by: Andy Green <andy@warmcat.com>
This commit is contained in:
parent
45dead99e0
commit
a19ff9b24d
2 changed files with 16 additions and 1 deletions
|
@ -291,6 +291,14 @@ lws_http_action(struct lws *wsi)
|
|||
break;
|
||||
}
|
||||
|
||||
/* we insist on absolute paths */
|
||||
|
||||
if (uri_ptr[0] != '/') {
|
||||
lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
|
||||
|
||||
goto bail_nuke_ah;
|
||||
}
|
||||
|
||||
/* HTTP header had a content length? */
|
||||
|
||||
wsi->u.http.content_length = 0;
|
||||
|
|
|
@ -218,10 +218,17 @@ check
|
|||
echo
|
||||
echo "---- nonexistant file"
|
||||
rm -f /tmp/lwscap
|
||||
echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
|
||||
echo -e "GET /nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
|
||||
check media
|
||||
check
|
||||
|
||||
echo
|
||||
echo "---- relative uri path"
|
||||
rm -f /tmp/lwscap
|
||||
echo -e "GET nope HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
|
||||
check forbidden
|
||||
check
|
||||
|
||||
echo
|
||||
echo "---- directory attack 1 (/../../../../etc/passwd should be /etc/passswd)"
|
||||
rm -f /tmp/lwscap
|
||||
|
|
Loading…
Add table
Reference in a new issue