From a6dcd4285f52bba4fd579e991393b94067aff443 Mon Sep 17 00:00:00 2001 From: paul Date: Mon, 28 Nov 2016 14:40:06 +0000 Subject: [PATCH 1/1] expand PATH before double dot check svn path=/trunk/; revision=47 --- server.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/server.sh b/server.sh index 0cb43ff..fe28169 100755 --- a/server.sh +++ b/server.sh @@ -90,9 +90,10 @@ HTTP_format(){ ' } -PATH_INFO="$(invalidate "${PATH_INFO}" '(^|.*/)\.\./.*' '')" -if [ -z "$QUERY_STRING" -a -f "$_DATA/$PATH_INFO" ]; then - . "$_EXEC/shcgi/static.sh" "$_DATA/$PATH_INFO" +if [ -z "$QUERY_STRING" ]; then + PATH_INFO="$(printf "$(printf %s "$PATH_INFO" |sed 's:+: :g;s:\\:\\\\:g;s:%:\\x:g')")" + PATH_INFO="$(invalidate "${PATH_INFO}" '(^|.*/)\.\./.*' '')" + [ -f "$_DATA/$PATH_INFO" ] && . "$_EXEC/shcgi/static.sh" "$_DATA/$PATH_INFO" exit 0 fi |HTTP_format -- 2.39.2