expand PATH before double dot check
authorpaul <paul@plutz.net>
Mon, 28 Nov 2016 14:40:06 +0000 (14:40 +0000)
committerpaul <paul@plutz.net>
Mon, 28 Nov 2016 14:40:06 +0000 (14:40 +0000)
svn path=/trunk/; revision=47

server.sh

index 0cb43ff..fe28169 100755 (executable)
--- a/server.sh
+++ b/server.sh
@@ -90,9 +90,10 @@ HTTP_format(){
   '
 }
 
-PATH_INFO="$(invalidate "${PATH_INFO}" '(^|.*/)\.\./.*' '')"
 
-if [ -z "$QUERY_STRING" -a -f "$_DATA/$PATH_INFO" ]; then
-  . "$_EXEC/shcgi/static.sh" "$_DATA/$PATH_INFO"
+if [ -z "$QUERY_STRING" ]; then
+  PATH_INFO="$(printf "$(printf %s "$PATH_INFO" |sed 's:+: :g;s:\\:\\\\:g;s:%:\\x:g')")"
+  PATH_INFO="$(invalidate "${PATH_INFO}" '(^|.*/)\.\./.*' '')"
+  [ -f "$_DATA/$PATH_INFO" ] && . "$_EXEC/shcgi/static.sh" "$_DATA/$PATH_INFO"
   exit 0
 fi |HTTP_format