ref: 220cfb7a23dd0e6f6efb2cabe1389e723073e5b6
parent: 7fa8b48d8ee308ed95106f66d9376a79942c0080
author: Jacob Moody <[email protected]>
date: Sun Apr 3 18:02:27 EDT 2022
fix urlencode escape, copied from rc-httpd
--- a/handlers/dir-index
+++ b/handlers/dir-index
@@ -1,6 +1,10 @@
#!/bin/rc
full_path=`{echo $"fs_root^$"location | urlencode -d}
full_path=$"full_path
+if(! ~ `{cleanname -d$fs_root $full_path} `{cleanname $fs_root}^*){
+ error 53 'path not allowed'
+ exit
+}
echo '20 text/gemini'^$cr
ls $full_path | sed '
--- a/handlers/serve-static
+++ b/handlers/serve-static
@@ -1,6 +1,10 @@
#!/bin/rc
full_path=`{echo $"fs_root^$"location | urlencode -d}
full_path=$"full_path
+if(! ~ `{cleanname -d$fs_root $full_path} `{cleanname $fs_root}^*){
+ error 53 'path not allowed'
+ exit
+}
if(! test -e $full_path){
error 51 'file does not exist'