Merge pull request #70 from maxnet/master

httpd: disallow directory traversal
LibVNC · Apr 17, 2015 · 1071094 · 1071094
2 parents f5abd4a + f5ae946
commit 1071094
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
@@ -423,6 +423,14 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
        }
     }
 
+    /* Basic protection against directory traversal outside webroot */
+
+    if (strstr(fname, "..")) {
+        rfbErr("httpd: URL should not contain '..'\n");
+        rfbWriteExact(&cl, NOT_FOUND_STR, strlen(NOT_FOUND_STR));
+        httpCloseSock(rfbScreen);
+        return;
+    }
 
     /* If we were asked for '/', actually read the file index.vnc */