response_code = C_SIMPLE_HTTP_Response_400_Bad_Request;
} else if (file_info.result == STATIC_FILE_RESULT_404NotFound) {
response_code = C_SIMPLE_HTTP_Response_404_Not_Found;
+ } else if (file_info.result == STATIC_FILE_RESULT_InvalidPath) {
+ response_code = C_SIMPLE_HTTP_Response_400_Bad_Request;
} else {
response_code = C_SIMPLE_HTTP_Response_500_Internal_Server_Error;
}
} else if (!ignore_mime_type && !c_simple_http_is_xdg_mime_available()) {
file_info.result = STATIC_FILE_RESULT_NoXDGMimeAvailable;
return file_info;
+ } else if (c_simple_http_static_validate_path(path) != 0) {
+ file_info.result = STATIC_FILE_RESULT_InvalidPath;
+ return file_info;
}
uint64_t buf_size = 128;
return file_info;
}
+int c_simple_http_static_validate_path(const char *path) {
+ uint64_t length = strlen(path);
+ for (uint64_t idx = 0; idx <= length && path[idx] != 0; ++idx) {
+ if (length - idx >= 2) {
+ if (path[idx] == '.' && path[idx + 1] == '.') {
+ // Contains "..", invalid.
+ return 1;
+ }
+ }
+ }
+ return 0;
+}
+
// vim: et ts=2 sts=2 sw=2
STATIC_FILE_RESULT_InvalidParameter,
STATIC_FILE_RESULT_NoXDGMimeAvailable,
STATIC_FILE_RESULT_InternalError,
- STATIC_FILE_RESULT_404NotFound
+ STATIC_FILE_RESULT_404NotFound,
+ STATIC_FILE_RESULT_InvalidPath
} C_SIMPLE_HTTP_StaticFileResult;
typedef struct C_SIMPLE_HTTP_StaticFileInfo {
C_SIMPLE_HTTP_StaticFileInfo c_simple_http_get_file(
const char *static_dir, const char *path, int_fast8_t ignore_mime_type);
+/// Returns zero if OK.
+int c_simple_http_static_validate_path(const char *path);
+
#endif
// vim: et ts=2 sts=2 sw=2
projects / c_simple_http / commitdiff