Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Severely limit the interplay of $/ and $.

Rather than blindly allow any kind of combination, we now severely
limit what kind of things are allowed w.r.t. path checks.
  • Loading branch information...
commit 47c22cbbea4188ce331ff71ab7c2d22ff3fec728 1 parent 10a8506
@jlouis authored
Showing with 18 additions and 1 deletion.
  1. +18 −1 apps/etorrent/src/etorrent_cowboy_handler.erl
View
19 apps/etorrent/src/etorrent_cowboy_handler.erl
@@ -181,11 +181,28 @@ conv_number(F) when is_float(F) -> float_to_list(F).
sanitize(Path) ->
case lists:all(fun allowed/1, Path) of
true ->
- Path;
+ dot_check(Path);
false ->
"index.html"
end.
+dot_check(Path) ->
+ case dot_check1(Path) of
+ ok ->
+ Path;
+ fail ->
+ "index.html"
+ end.
+
+dot_check1([$., $/ | _]) -> fail;
+dot_check1([$/, $/ | _]) -> fail;
+dot_check1([$/, $. | _]) -> fail;
+dot_check1([$., $. | _]) -> fail;
+dot_check1([_A, B | Next]) -> dot_check1([B | Next]);
+dot_check1(".") -> fail;
+dot_check1("/") -> fail;
+dot_check1(L) when is_list(L) -> ok.
+
allowed(C) when C >= $a, C =< $z -> true;
allowed(C) when C >= $A, C =< $Z -> true;
allowed(C) when C >= $0, C =< $9 -> true;
Please sign in to comment.
Something went wrong with that request. Please try again.