/rc/bin/rc-httpd/{rc-httpd, handlers/error}: do some minimal sanitization on $SERVER_NAME before handing it off to select-handler. this prevents malformed Host: headers from retrieving arbitrary files from the file system. (thanks, Lightning)

rc/bin/rc-httpd/handlers/error

@@ -19,6 +19,11 @@ fn do_error{
 	'
 }
 
+fn 400{
+	do_error '400 Bad Request' \
+	'The request was invalid.'
+}
+
 fn 401{
 	do_error '401 Unauthorized' \
 	'The requested path '^$"location^' requires authorization.'

rc/bin/rc-httpd/rc-httpd

@@ -85,6 +85,11 @@ if(~ $#SERVER_NAME 2){
 	SERVER_PORT=$SERVER_NAME(2)
 	SERVER_NAME=$SERVER_NAME(1)
 }
+switch($SERVER_NAME){
+	case */* ..
+		error 400
+		exit
+}
 if(~ $REQUEST_METHOD (PUT POST)){
 	if(! ~ $"CONTENT_LENGTH '')
 		trim_input | exec $rc_httpd_dir/select-handler