mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-05 22:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing

Browse source
This commit is contained in:
Matthew Wild 2009-09-11 03:12:09 +01:00
parent c1e71bdec8
commit d8d4b7409c
1 changed files with 25 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

26
plugins/mod_httpserver.lua
View file

@ -11,14 +11,19 @@ local httpserver = require "net.httpserver";
local open = io.open;
local t_concat = table.concat;
local check_http_path;
local http_base = "www_files";
local response_403 = { status = "403 Forbidden", body = "<h1>Invalid URL</h1>Sorry, we couldn't find what you were looking for :(" };
local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" };
local http_path = { http_base };
local function handle_request(method, body, request)
local path = request.url.path:gsub("%.%.%/", ""):gsub("^/[^/]+", "");
local path = check_http_path(request.url.path:gsub("^/[^/]+%.*", ""));
if not path then
return response_403;
end
http_path[2] = path;
local f, err = open(t_concat(http_path), "r");
if not f then return response_404; end
@ -29,3 +34,22 @@ end
local ports = config.get(module.host, "core", "http_ports") or { 5280 };
httpserver.new_from_config(ports, "files", handle_request);
function check_http_path(url)
if url:sub(1,1) ~= "/" then
url = "/"..url;
end
local level = 0;
for part in url:gmatch("%/([^/]+)") do
if part == ".." then
level = level - 1;
elseif part ~= "." then
level = level + 1;
end
if level < 0 then
return nil;
end
end
return url;
end