indymedia
/
epicyon
mirror of https://gitlab.com/bashrc2/epicyon
7
4
Fork 1
Code Issues 14 Releases Wiki Activity

.

merge-requests/30/head
Bob Mottram 2023-01-23 23:36:17 +00:00
parent f25874cd8f bb9af5b860
commit 11026be3a1
1 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
daemon.py
View File

@ -16701,7 +16701,20 @@ class PubServer(BaseHTTPRequestHandler):
return True return True
return False return False
def _check_bad_path(self):
path_lower = self.path.lower()
if '..' in path_lower or \
'%2e%2e' in path_lower or \
'%252e%252e' in path_lower:
print('WARN: bad path ' + self.path)
self._400()
return True
return False
def do_GET(self): def do_GET(self):
if self._check_bad_path():
return
calling_domain = self.server.domain_full calling_domain = self.server.domain_full
if self.headers.get('Host'): if self.headers.get('Host'):
@ -20439,18 +20452,33 @@ class PubServer(BaseHTTPRequestHandler):
self._200() self._200()
def do_PROPFIND(self): def do_PROPFIND(self):
if self._check_bad_path():
return
self._dav_handler('propfind', self.server.debug) self._dav_handler('propfind', self.server.debug)
def do_PUT(self): def do_PUT(self):
if self._check_bad_path():
return
self._dav_handler('put', self.server.debug) self._dav_handler('put', self.server.debug)
def do_REPORT(self): def do_REPORT(self):
if self._check_bad_path():
return
self._dav_handler('report', self.server.debug) self._dav_handler('report', self.server.debug)
def do_DELETE(self): def do_DELETE(self):
if self._check_bad_path():
return
self._dav_handler('delete', self.server.debug) self._dav_handler('delete', self.server.debug)
def do_HEAD(self): def do_HEAD(self):
if self._check_bad_path():
return
calling_domain = self.server.domain_full calling_domain = self.server.domain_full
if self.headers.get('Host'): if self.headers.get('Host'):
calling_domain = decoded_host(self.headers['Host']) calling_domain = decoded_host(self.headers['Host'])
@ -22081,6 +22109,9 @@ class PubServer(BaseHTTPRequestHandler):
self._400() self._400()
def do_POST(self): def do_POST(self):
if self._check_bad_path():
return
proxy_type = self.server.proxy_type proxy_type = self.server.proxy_type
postreq_start_time = time.time() postreq_start_time = time.time()