-const char cgisimple_rcs[] = "$Id: cgisimple.c,v 1.97 2010/03/07 12:07:51 fabiankeil Exp $";
+const char cgisimple_rcs[] = "$Id: cgisimple.c,v 1.101 2011/02/14 16:04:55 fabiankeil Exp $";
/*********************************************************************
*
* File : $Source: /cvsroot/ijbswa/current/cgisimple.c,v $
}
get_string_param(parameters, "file", &filename);
- /* Check paramter for hack attempts */
- if (filename && strchr(filename, '/'))
+ if (filename == NULL)
{
- return JB_ERR_CGI_PARAMS;
+ /* It's '/' so serve the index.html if there is one. */
+ filename = "index.html";
}
- if (filename && strstr(filename, ".."))
+ else if (NULL != strchr(filename, '/') || NULL != strstr(filename, ".."))
{
+ /*
+ * We currently only support a flat file
+ * hierachy for the documentation.
+ */
+ log_error(LOG_LEVEL_ERROR,
+ "Rejecting the request to serve '%s' as it contains '/' or '..'",
+ filename);
return JB_ERR_CGI_PARAMS;
}
- full_path = make_path(csp->config->usermanual, filename ? filename : "index.html");
+ full_path = make_path(csp->config->usermanual, filename);
if (full_path == NULL)
{
return JB_ERR_MEMORY;
url_param[0] = '\0';
}
}
- else if ((NULL == strstr(url_param, "://")
- || (strstr(url_param, "://") > strstr(url_param, "/"))))
+ else if ((url_param[0] != '\0')
+ && ((NULL == strstr(url_param, "://")
+ || (strstr(url_param, "://") > strstr(url_param, "/")))))
{
/*
* No prefix or at least no prefix before
fp = fopen(filename, "rb");
if (NULL == fp)
{
+ log_error(LOG_LEVEL_ERROR, "Failed to open %s: %E", filename);
return JB_ERR_FILE;
}