/rc/bin/rc-httpd/{rc-httpd, handlers/error}: do some minimal sanitization on $SERVER_NAME before handing it off to select-handler. this prevents malformed Host: headers from retrieving arbitrary files from the file system. (thanks, Lightning)

This commit is contained in:
glenda 2021-11-21 23:42:13 +00:00
parent a27afe904d
commit e2a8d3493a
2 changed files with 10 additions and 0 deletions

View file

@ -19,6 +19,11 @@ fn do_error{
' '
} }
fn 400{
do_error '400 Bad Request' \
'The request was invalid.'
}
fn 401{ fn 401{
do_error '401 Unauthorized' \ do_error '401 Unauthorized' \
'The requested path '^$"location^' requires authorization.' 'The requested path '^$"location^' requires authorization.'

View file

@ -85,6 +85,11 @@ if(~ $#SERVER_NAME 2){
SERVER_PORT=$SERVER_NAME(2) SERVER_PORT=$SERVER_NAME(2)
SERVER_NAME=$SERVER_NAME(1) SERVER_NAME=$SERVER_NAME(1)
} }
switch($SERVER_NAME){
case */* ..
error 400
exit
}
if(~ $REQUEST_METHOD (PUT POST)){ if(~ $REQUEST_METHOD (PUT POST)){
if(! ~ $"CONTENT_LENGTH '') if(! ~ $"CONTENT_LENGTH '')
trim_input | exec $rc_httpd_dir/select-handler trim_input | exec $rc_httpd_dir/select-handler