Severely limit the interplay of $/ and $.

Rather than blindly allow any kind of combination, we now severely limit what kind of things are allowed w.r.t. path checks.
jlouis · Dec 18, 2011 · 47c22cb · 47c22cb
1 parent 10a8506
commit 47c22cb
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/apps/etorrent/src/etorrent_cowboy_handler.erl b/apps/etorrent/src/etorrent_cowboy_handler.erl
@@ -181,11 +181,28 @@ conv_number(F) when is_float(F)   -> float_to_list(F).
 sanitize(Path) ->
     case lists:all(fun allowed/1, Path) of
         true ->
-            Path;
+            dot_check(Path);
         false ->
             "index.html"
     end.
 
+dot_check(Path) ->
+    case dot_check1(Path) of
+        ok ->
+            Path;
+        fail ->
+            "index.html"
+    end.
+
+dot_check1([$., $/ | _]) -> fail;
+dot_check1([$/, $/ | _]) -> fail;
+dot_check1([$/, $. | _]) -> fail;
+dot_check1([$., $. | _]) -> fail;
+dot_check1([_A, B | Next]) -> dot_check1([B | Next]);
+dot_check1(".") -> fail;
+dot_check1("/") -> fail;
+dot_check1(L) when is_list(L) -> ok.
+
 allowed(C) when C >= $a, C =< $z -> true;
 allowed(C) when C >= $A, C =< $Z -> true;
 allowed(C) when C >= $0, C =< $9 -> true;