Annotate

plugins/mod_httpserver.lua @ 1770:3e17002221eb

mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
author Matthew Wild <mwild1@gmail.com>
date Fri, 11 Sep 2009 03:12:09 +0100
parent 1552:334b66f614a6
child 1771:39e6b986ef01
child 1812:e32593074602
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1522
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
1 -- Prosody IM
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
2 -- Copyright (C) 2008-2009 Matthew Wild
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
3 -- Copyright (C) 2008-2009 Waqas Hussain
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
4 --
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
6 -- COPYING file in the source package for more information.
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
7 --
569d58d21612 Add copyright header to those files missing one
Matthew Wild <mwild1@gmail.com>
parents: 1384
diff changeset
8
696
b35faad717f2 mod_httpserver: Add require 'net.httpserver'
Matthew Wild <mwild1@gmail.com>
parents: 635
diff changeset
9
b35faad717f2 mod_httpserver: Add require 'net.httpserver'
Matthew Wild <mwild1@gmail.com>
parents: 635
diff changeset
10 local httpserver = require "net.httpserver";
635
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 local open = io.open;
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 local t_concat = table.concat;
1770
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
14 local check_http_path;
635
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 local http_base = "www_files";
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17
1770
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
18 local response_403 = { status = "403 Forbidden", body = "<h1>Invalid URL</h1>Sorry, we couldn't find what you were looking for :(" };
635
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" };
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 local http_path = { http_base };
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 local function handle_request(method, body, request)
1770
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
23 local path = check_http_path(request.url.path:gsub("^/[^/]+%.*", ""));
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
24 if not path then
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
25 return response_403;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
26 end
635
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 http_path[2] = path;
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 local f, err = open(t_concat(http_path), "r");
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 if not f then return response_404; end
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 local data = f:read("*a");
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 f:close();
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 return data;
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 end
25f1117d7886 Add initial mod_httpserver for serving static content
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
1384
2f7403d47cf1 mod_httpserver: Allow configuration of ports and base path, like mod_bosh
Matthew Wild <mwild1@gmail.com>
parents: 696
diff changeset
35 local ports = config.get(module.host, "core", "http_ports") or { 5280 };
1552
334b66f614a6 mod_httpserver: Update to use new new_from_config() too
Matthew Wild <mwild1@gmail.com>
parents: 1538
diff changeset
36 httpserver.new_from_config(ports, "files", handle_request);
1770
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
37
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
38 function check_http_path(url)
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
39 if url:sub(1,1) ~= "/" then
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
40 url = "/"..url;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
41 end
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
42
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
43 local level = 0;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
44 for part in url:gmatch("%/([^/]+)") do
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
45 if part == ".." then
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
46 level = level - 1;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
47 elseif part ~= "." then
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
48 level = level + 1;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
49 end
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
50 if level < 0 then
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
51 return nil;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
52 end
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
53 end
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
54 return url;
3e17002221eb mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
Matthew Wild <mwild1@gmail.com>
parents: 1552
diff changeset
55 end