Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixed LFI vulnerability
  • Loading branch information
sternenseemann committed Aug 15, 2014
1 parent 851ff5d commit cf715d9
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions main.c
Expand Up @@ -188,6 +188,14 @@ void blog_index(void) {
}

void blog_post(char post_path[]) {
if(strlen(post_path) != 0 || post_path[0] == '.'
|| strchr(post_path, '/') == NULL) {
send_header("Content-type", "text/plain");
terminate_headers();
printf("No, my dear h4xxx0r :)\nYou won\'t do that :p\n");
return;
}

if(file_exists(post_path) > 0) {
struct blogpost post = make_blogpost(post_path);

Expand Down

1 comment on commit cf715d9

@sternenseemann
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this case is very theoretical and probably won't happen. Maybe only on obscure Web servers

If you'd request blog/../../../etc/some.conf you're Webserver wouldn't let blog handle the request.

Please sign in to comment.