diff options
author | Andy Green <andy@warmcat.com> | 2016-04-02 08:03:48 +0800 |
---|---|---|
committer | Andy Green <andy@warmcat.com> | 2016-04-02 08:03:48 +0800 |
commit | 8b832663011c4ff7b853b218361855efd18d8510 (patch) | |
tree | e16110595921f2594f52987c387a1fa556ffa925 | |
parent | e3e89a7241230df6d4948281f0307d9df421fe26 (diff) | |
download | libwebsockets-8b832663011c4ff7b853b218361855efd18d8510.tar.gz libwebsockets-8b832663011c4ff7b853b218361855efd18d8510.tar.bz2 libwebsockets-8b832663011c4ff7b853b218361855efd18d8510.zip |
uri processing reject paths not starting with slash
https://github.com/warmcat/libwebsockets/issues/481
Return 403 Forbidden if we don't end up with a uri path starting with /
Test server already did this, but this makes it built into the
library.
Signed-off-by: Andy Green <andy@warmcat.com>
-rw-r--r-- | lib/server.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/server.c b/lib/server.c index 0b6e4c1f..59e664f9 100644 --- a/lib/server.c +++ b/lib/server.c @@ -243,6 +243,14 @@ lws_http_action(struct lws *wsi) break; } + /* we insist on absolute paths */ + + if (uri_ptr[0] != '/') { + lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL); + + goto bail_nuke_ah; + } + /* HTTP header had a content length? */ wsi->u.http.content_length = 0; |