diff options
author | Wilhem Barbier <wilhem.b@free.fr> | 2019-06-11 10:33:56 +0200 |
---|---|---|
committer | Mattes D <github@xoft.cz> | 2019-06-11 10:33:56 +0200 |
commit | 85006d10f5b4f8fb2e95be479d0b7c28a42d1d46 (patch) | |
tree | 597fafe870ccd8859f07d404acacaab03b26fa5b | |
parent | * Sponge: Add water absorbtion (#4333) (diff) | |
download | cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.gz cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.bz2 cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.lz cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.xz cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.zst cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.zip |
-rw-r--r-- | src/WebAdmin.cpp | 17 |
1 files changed, 8 insertions, 9 deletions
diff --git a/src/WebAdmin.cpp b/src/WebAdmin.cpp index 335b6b94e..9082044fa 100644 --- a/src/WebAdmin.cpp +++ b/src/WebAdmin.cpp @@ -375,14 +375,13 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc } } - // Remove all "../" strings: - ReplaceString(FileURL, "../", ""); - // Read the file contents and guess its mime-type, based on the extension: AString Content = "<h2>404 Not Found</h2>"; - AString ContentType; + AString ContentType = "text/html"; AString Path = Printf(FILE_IO_PREFIX "webadmin/files/%s", FileURL.c_str()); - if (cFile::IsFile(Path)) + + // Return 404 if the file is not found, or the URL contains '../' (for security reasons) + if ((FileURL.find("../") == AString::npos) && cFile::IsFile(Path)) { cFile File(Path, cFile::fmRead); AString FileContent; @@ -395,10 +394,10 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc ContentType = GetContentTypeFromFileExt(Path.substr(LastPointPosition + 1)); } } - } - if (ContentType.empty()) - { - ContentType = "application/unknown"; + if (ContentType.empty()) + { + ContentType = "application/unknown"; + } } // Send the response: |