summaryrefslogtreecommitdiffstats
path: root/src/WebAdmin.cpp
diff options
context:
space:
mode:
authorWilhem Barbier <wilhem.b@free.fr>2019-06-11 10:33:56 +0200
committerMattes D <github@xoft.cz>2019-06-11 10:33:56 +0200
commit85006d10f5b4f8fb2e95be479d0b7c28a42d1d46 (patch)
tree597fafe870ccd8859f07d404acacaab03b26fa5b /src/WebAdmin.cpp
parent* Sponge: Add water absorbtion (#4333) (diff)
downloadcuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar
cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.gz
cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.bz2
cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.lz
cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.xz
cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.tar.zst
cuberite-85006d10f5b4f8fb2e95be479d0b7c28a42d1d46.zip
Diffstat (limited to 'src/WebAdmin.cpp')
-rw-r--r--src/WebAdmin.cpp17
1 files changed, 8 insertions, 9 deletions
diff --git a/src/WebAdmin.cpp b/src/WebAdmin.cpp
index 335b6b94e..9082044fa 100644
--- a/src/WebAdmin.cpp
+++ b/src/WebAdmin.cpp
@@ -375,14 +375,13 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc
}
}
- // Remove all "../" strings:
- ReplaceString(FileURL, "../", "");
-
// Read the file contents and guess its mime-type, based on the extension:
AString Content = "<h2>404 Not Found</h2>";
- AString ContentType;
+ AString ContentType = "text/html";
AString Path = Printf(FILE_IO_PREFIX "webadmin/files/%s", FileURL.c_str());
- if (cFile::IsFile(Path))
+
+ // Return 404 if the file is not found, or the URL contains '../' (for security reasons)
+ if ((FileURL.find("../") == AString::npos) && cFile::IsFile(Path))
{
cFile File(Path, cFile::fmRead);
AString FileContent;
@@ -395,10 +394,10 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc
ContentType = GetContentTypeFromFileExt(Path.substr(LastPointPosition + 1));
}
}
- }
- if (ContentType.empty())
- {
- ContentType = "application/unknown";
+ if (ContentType.empty())
+ {
+ ContentType = "application/unknown";
+ }
}
// Send the response: