summaryrefslogtreecommitdiff
path: root/source4/web_server/esp/espProcs.c
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2005-05-26 03:05:37 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:17:02 -0500
commit44d2a46580da126866f704e5cf9b6599635f5f01 (patch)
tree59410b0ba2fd51788153a879d9a01d013453b9aa /source4/web_server/esp/espProcs.c
parente8e8eab400fbc310bcf1af8dd1d5436fe9e1cac4 (diff)
downloadsamba-44d2a46580da126866f704e5cf9b6599635f5f01.tar.gz
samba-44d2a46580da126866f704e5cf9b6599635f5f01.tar.bz2
samba-44d2a46580da126866f704e5cf9b6599635f5f01.zip
r6987: - make sure esp pages cannot read data outside of the swat directory
- don't expose the real system path to esp scripts - fixed absolute paths in include() calls (This used to be commit 6535611aa22f51b7376be3c15715e8040a059736)
Diffstat (limited to 'source4/web_server/esp/espProcs.c')
-rw-r--r--source4/web_server/esp/espProcs.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/source4/web_server/esp/espProcs.c b/source4/web_server/esp/espProcs.c
index a8da800213..5c99e092c9 100644
--- a/source4/web_server/esp/espProcs.c
+++ b/source4/web_server/esp/espProcs.c
@@ -77,8 +77,12 @@ static int includeProc(EspRequest *ep, int argc, char **argv)
esp = ep->esp;
mprAssert(argv);
for (i = 0; i < argc; i++) {
- mprGetDirName(dir, sizeof(dir), ep->docPath);
- mprSprintf(path, sizeof(path), "%s/%s", dir, argv[i]);
+ if (argv[i][0] != '/') {
+ mprGetDirName(dir, sizeof(dir), ep->docPath);
+ mprSprintf(path, sizeof(path), "%s/%s", dir, argv[i]);
+ } else {
+ mprSprintf(path, sizeof(path), "%s", argv[i]);
+ }
if (esp->readFile(ep->requestHandle, &buf, &size, path) < 0) {
espError(ep, "Can't read include file: %s", path);
generated by cgit (git 2.34.1) at 2024-07-29 11:39:58 +0000