diff options
| author | Syndamia <kamen@syndamia.com> | 2023-12-27 14:57:13 +0200 |
|---|---|---|
| committer | Syndamia <kamen@syndamia.com> | 2023-12-27 14:57:13 +0200 |
| commit | 009444ba3f4e53c695c5c7aaa89683864e379f8b (patch) | |
| tree | 1b9418b67c0ae01a8132566ad0e4c11d3c577357 | |
| parent | 95cdee0bbd92de139f7d09e85330a769e9b98636 (diff) | |
| download | pico-web-009444ba3f4e53c695c5c7aaa89683864e379f8b.tar pico-web-009444ba3f4e53c695c5c7aaa89683864e379f8b.tar.gz pico-web-009444ba3f4e53c695c5c7aaa89683864e379f8b.zip | |
(server-connection) Added address sanitization
| -rw-r--r-- | server-connection.c | 24 | ||||
| -rw-r--r-- | util.c | 7 | ||||
| -rw-r--r-- | util.h | 1 |
3 files changed, 32 insertions, 0 deletions
diff --git a/server-connection.c b/server-connection.c index f0ac1e6..9b06ede 100644 --- a/server-connection.c +++ b/server-connection.c @@ -5,6 +5,7 @@ #include <fcntl.h> #include <string.h> +#include <util.h> sds constructFilePath(const sds root, const char* file) { sds path = sdsdup(root); @@ -16,6 +17,28 @@ sds constructFilePath(const sds root, const char* file) { return path; } +void sanitizeAddress(char* address) { + /* Remove host and port */ + char* startPath = strchr(address, '/'); + if (startPath == NULL) + startPath = strchr(address, '\0'); + + char* startHost = strchr(address, '@'); + shiftLeft(startHost + 1, address - startHost, startPath - startHost - 1); + + /* Remove ../ */ + for (char* prev = startHost+1, *i = startHost+1; i != NULL && *i != '\0';) { + if (i[1] == '.' && i[2] == '.' && i[3] == '/') { + shiftLeft(prev, strlen(prev), i - prev + 3); + i = prev; + } + else { + prev = i; + i = strchr(i+1, '/'); + } + } +} + void on_connection(const char* client, const int fd_client, sds **vhosts, const int vhostsc) { printf("[%s@%d] Connected successfully!\n", client, fd_client); @@ -24,6 +47,7 @@ void on_connection(const char* client, const int fd_client, sds **vhosts, const memset(address, 0, 256); read(fd_client, address, 256); + sanitizeAddress(address); printf("[%s@%d] Requested %s\n", client, fd_client, address); /* Does vhosts contain an address with the username? */ @@ -154,3 +154,10 @@ int digits(int num) { int streq(const char* first, const char* second) { return strcmp(first, second) == 0; } + +void shiftLeft(char* str, size_t size, size_t shift) { + while (*(str + shift - 1) != '\0') { + *str = *(str + shift); + str++; + } +} @@ -22,5 +22,6 @@ sds gsub_getm(sds str, const regex_t *regex, const char* repl, int* *matches, in #define clear_arr(arr) memset(arr, 0, sizeof(arr)/sizeof(*arr)) int digits(int num); int streq(const char* first, const char* second); +void shiftLeft(char* str, size_t size, size_t shift); #endif |