Diff

plugins/mod_httpserver.lua @ 1770:3e17002221eb

mod_httpserver: Backport from trunk more thorough validation of URLs prior to processing
author Matthew Wild <mwild1@gmail.com>
date Fri, 11 Sep 2009 03:12:09 +0100
parent 1552:334b66f614a6
child 1771:39e6b986ef01
child 1812:e32593074602
line wrap: on
line diff
--- a/plugins/mod_httpserver.lua	Sun Sep 06 01:33:41 2009 +0500
+++ b/plugins/mod_httpserver.lua	Fri Sep 11 03:12:09 2009 +0100
@@ -11,14 +11,19 @@
 
 local open = io.open;
 local t_concat = table.concat;
+local check_http_path;
 
 local http_base = "www_files";
 
+local response_403 = { status = "403 Forbidden", body = "<h1>Invalid URL</h1>Sorry, we couldn't find what you were looking for :(" };
 local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" };
 
 local http_path = { http_base };
 local function handle_request(method, body, request)
-	local path = request.url.path:gsub("%.%.%/", ""):gsub("^/[^/]+", "");
+	local path = check_http_path(request.url.path:gsub("^/[^/]+%.*", ""));
+	if not path then
+		return response_403;
+	end
 	http_path[2] = path;
 	local f, err = open(t_concat(http_path), "r");
 	if not f then return response_404; end
@@ -29,3 +34,22 @@
 
 local ports = config.get(module.host, "core", "http_ports") or { 5280 };
 httpserver.new_from_config(ports, "files", handle_request);
+
+function check_http_path(url)
+	if url:sub(1,1) ~= "/" then
+		url = "/"..url;
+	end
+	
+	local level = 0;
+	for part in url:gmatch("%/([^/]+)") do
+		if part == ".." then
+			level = level - 1;
+		elseif part ~= "." then
+			level = level + 1;
+		end
+		if level < 0 then
+			return nil;
+		end
+	end
+	return url;
+end