prosody
3e17002221eb
plugins/mod_httpserver.lua
Software / code / prosody
Comparison
plugins/mod_httpserver.lua @ 1770:3e17002221eb
mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 11 Sep 2009 03:12:09 +0100 |
| parent | 1552:334b66f614a6 |
| child | 1771:39e6b986ef01 |
| child | 1812:e32593074602 |
comparison
equal
deleted
inserted
replaced
| 1732:f1282fad2f99 | 1770:3e17002221eb |
|---|---|
| 9 | 9 |
| 10 local httpserver = require "net.httpserver"; | 10 local httpserver = require "net.httpserver"; |
| 11 | 11 |
| 12 local open = io.open; | 12 local open = io.open; |
| 13 local t_concat = table.concat; | 13 local t_concat = table.concat; |
| 14 local check_http_path; | |
| 14 | 15 |
| 15 local http_base = "www_files"; | 16 local http_base = "www_files"; |
| 16 | 17 |
| 18 local response_403 = { status = "403 Forbidden", body = "<h1>Invalid URL</h1>Sorry, we couldn't find what you were looking for :(" }; | |
| 17 local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" }; | 19 local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" }; |
| 18 | 20 |
| 19 local http_path = { http_base }; | 21 local http_path = { http_base }; |
| 20 local function handle_request(method, body, request) | 22 local function handle_request(method, body, request) |
| 21 local path = request.url.path:gsub("%.%.%/", ""):gsub("^/[^/]+", ""); | 23 local path = check_http_path(request.url.path:gsub("^/[^/]+%.*", "")); |
| 24 if not path then | |
| 25 return response_403; | |
| 26 end | |
| 22 http_path[2] = path; | 27 http_path[2] = path; |
| 23 local f, err = open(t_concat(http_path), "r"); | 28 local f, err = open(t_concat(http_path), "r"); |
| 24 if not f then return response_404; end | 29 if not f then return response_404; end |
| 25 local data = f:read("*a"); | 30 local data = f:read("*a"); |
| 26 f:close(); | 31 f:close(); |
| 27 return data; | 32 return data; |
| 28 end | 33 end |
| 29 | 34 |
| 30 local ports = config.get(module.host, "core", "http_ports") or { 5280 }; | 35 local ports = config.get(module.host, "core", "http_ports") or { 5280 }; |
| 31 httpserver.new_from_config(ports, "files", handle_request); | 36 httpserver.new_from_config(ports, "files", handle_request); |
| 37 | |
| 38 function check_http_path(url) | |
| 39 if url:sub(1,1) ~= "/" then | |
| 40 url = "/"..url; | |
| 41 end | |
| 42 | |
| 43 local level = 0; | |
| 44 for part in url:gmatch("%/([^/]+)") do | |
| 45 if part == ".." then | |
| 46 level = level - 1; | |
| 47 elseif part ~= "." then | |
| 48 level = level + 1; | |
| 49 end | |
| 50 if level < 0 then | |
| 51 return nil; | |
| 52 end | |
| 53 end | |
| 54 return url; | |
| 55 end |
