eliott/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird synced 2026-05-05 06:32:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

WebServer: Fix jailbreaking of server via .. relative paths

Browse Source 
The recent patch to LexicalPath allowed relative paths like ../ to work
in requests to WebServer. This wasn't too dangerous because of unveil,
but let's still fix this :^)
This commit is contained in:
DexesTTP
2021-05-18 08:58:37 +02:00
committed by Andreas Kling
parent 7957f13e98
commit 9f42ccd639
Notes: sideshowbarker 2024-07-18 17:52:51 +09:00 
Author: https://github.com/Dexesttp
Commit: https://github.com/SerenityOS/serenity/commit/9f42ccd6399
Pull-request: https://github.com/SerenityOS/serenity/pull/7240
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Userland/Services/WebServer/Client.cpp
View File

@@ -73,7 +73,7 @@ void Client::handle_request(ReadonlyBytes raw_request)
return;
}
auto requested_path = LexicalPath::canonicalized_path(request.resource());
auto requested_path = LexicalPath::join("/", request.resource()).string();
dbgln("Canonical requested path: '{}'", requested_path);
StringBuilder path_builder;