Skip to content

M
mongoose
Commit 8c4521af authored by Sergey Lyubka's avatar Sergey Lyubka
Browse files
Options

moved remove_double_dots_and_double_slashes() to string.c

parent 0d2a8db6
Hide whitespace changes
Inline Side-by-side
Showing with 46 additions and 46 deletions
build/src/mongoose.c
View file @ 8c4521af
...@@ -503,29 +503,6 @@ static int get_request_len(const char *buf, int buf_len) { ...@@ -503,29 +503,6 @@ static int get_request_len(const char *buf, int buf_len) {
return 0; return 0;
} }
// Protect against directory disclosure attack by removing '..',
// excessive '/' and '\' characters
static void remove_double_dots_and_double_slashes(char *s) {
char *p = s;
while (*s != '\0') {
*p++ = *s++;
if (s[-1] == '/' || s[-1] == '\\') {
// Skip all following slashes, backslashes and double-dots
while (s[0] != '\0') {
if (s[0] == '/' || s[0] == '\\') {
s++;
} else if (s[0] == '.' && s[1] == '.') {
s += 2;
} else {
break;
}
}
}
}
*p = '\0';
}
static const struct { static const struct {
const char *extension; const char *extension;
size_t ext_len; size_t ext_len;
......
build/src/string.c
View file @ 8c4521af
...@@ -243,3 +243,26 @@ static int match_prefix(const char *pattern, int pattern_len, const char *str) { ...@@ -243,3 +243,26 @@ static int match_prefix(const char *pattern, int pattern_len, const char *str) {
return j; return j;
} }
// Protect against directory disclosure attack by removing '..',
// excessive '/' and '\' characters
static void remove_double_dots_and_double_slashes(char *s) {
char *p = s;
while (*s != '\0') {
*p++ = *s++;
if (s[-1] == '/' || s[-1] == '\\') {
// Skip all following slashes, backslashes and double-dots
while (s[0] != '\0') {
if (s[0] == '/' || s[0] == '\\') {
s++;
} else if (s[0] == '.' && s[1] == '.') {
s += 2;
} else {
break;
}
}
}
}
*p = '\0';
}
mongoose.c
View file @ 8c4521af
...@@ -726,6 +726,29 @@ static int match_prefix(const char *pattern, int pattern_len, const char *str) { ...@@ -726,6 +726,29 @@ static int match_prefix(const char *pattern, int pattern_len, const char *str) {
return j; return j;
} }
// Protect against directory disclosure attack by removing '..',
// excessive '/' and '\' characters
static void remove_double_dots_and_double_slashes(char *s) {
char *p = s;
while (*s != '\0') {
*p++ = *s++;
if (s[-1] == '/' || s[-1] == '\\') {
// Skip all following slashes, backslashes and double-dots
while (s[0] != '\0') {
if (s[0] == '/' || s[0] == '\\') {
s++;
} else if (s[0] == '.' && s[1] == '.') {
s += 2;
} else {
break;
}
}
}
}
*p = '\0';
}
static const char *month_names[] = { static const char *month_names[] = {
"Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jan", "Feb", "Mar", "Apr", "May", "Jun",
...@@ -2673,29 +2696,6 @@ static int get_request_len(const char *buf, int buf_len) { ...@@ -2673,29 +2696,6 @@ static int get_request_len(const char *buf, int buf_len) {
return 0; return 0;
} }
// Protect against directory disclosure attack by removing '..',
// excessive '/' and '\' characters
static void remove_double_dots_and_double_slashes(char *s) {
char *p = s;
while (*s != '\0') {
*p++ = *s++;
if (s[-1] == '/' || s[-1] == '\\') {
// Skip all following slashes, backslashes and double-dots
while (s[0] != '\0') {
if (s[0] == '/' || s[0] == '\\') {
s++;
} else if (s[0] == '.' && s[1] == '.') {
s += 2;
} else {
break;
}
}
}
}
*p = '\0';
}
static const struct { static const struct {
const char *extension; const char *extension;
size_t ext_len; size_t ext_len;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment