expand PATH before double dot check

[cgilite] / server.sh

diff --git a/server.sh b/server.sh
index 0cb43ffbc57cef49e45c951b7e4194a87df15704..fe28169936e12dcf7ae4e052d4bb6401a2d35b90 100755 (executable)
--- a/server.sh
+++ b/server.sh
@@ -90,9 +90,10 @@ HTTP_format(){
   '
 }
 
-PATH_INFO="$(invalidate "${PATH_INFO}" '(^|.*/)\.\./.*' '')"
 
-if [ -z "$QUERY_STRING" -a -f "$_DATA/$PATH_INFO" ]; then
-  . "$_EXEC/shcgi/static.sh" "$_DATA/$PATH_INFO"
+if [ -z "$QUERY_STRING" ]; then
+  PATH_INFO="$(printf "$(printf %s "$PATH_INFO" |sed 's:+: :g;s:\\:\\\\:g;s:%:\\x:g')")"
+  PATH_INFO="$(invalidate "${PATH_INFO}" '(^|.*/)\.\./.*' '')"
+  [ -f "$_DATA/$PATH_INFO" ] && . "$_EXEC/shcgi/static.sh" "$_DATA/$PATH_INFO"
   exit 0
 fi |HTTP_format