diff options
author | Florian Obser <florian@cvs.openbsd.org> | 2015-04-25 14:40:36 +0000 |
---|---|---|
committer | Florian Obser <florian@cvs.openbsd.org> | 2015-04-25 14:40:36 +0000 |
commit | 8618487282f064cd4d7198b503ec5310d83f2ff8 (patch) | |
tree | deada47e267804f826a5e3e4b4f00a20380a3f21 /usr.sbin/httpd | |
parent | 645dedbc3e9ada87db981415ff44d81372463280 (diff) |
Prepend files or directories containing ":" with "./" in directory
indexes as per RFC 3986:
A path segment that contains a colon character (e.g., "this:that")
cannot be used as the first segment of a relative-path reference, as
it would be mistaken for a scheme name. Such a segment must be
preceded by a dot-segment (e.g., "./this:that") to make a relative-
path reference.
While here add a "/" to the end of directory names, this saves us one
redirect round trip.
Found the hard way & "functionality wise, OK" ajacoutot@
RFC pointer & OK benno@
Diffstat (limited to 'usr.sbin/httpd')
-rw-r--r-- | usr.sbin/httpd/server_file.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c index f697504dd3c..3580bbbd323 100644 --- a/usr.sbin/httpd/server_file.c +++ b/usr.sbin/httpd/server_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server_file.c,v 1.51 2015/02/12 10:05:29 reyk Exp $ */ +/* $OpenBSD: server_file.c,v 1.52 2015/04/25 14:40:35 florian Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org> @@ -352,13 +352,15 @@ server_file_index(struct httpd *env, struct client *clt, struct stat *st) } else if (S_ISDIR(st->st_mode)) { namewidth -= 1; /* trailing slash */ if (evbuffer_add_printf(evb, - "<a href=\"%s\">%s/</a>%*s%s%20s\n", + "<a href=\"%s%s/\">%s/</a>%*s%s%20s\n", + strchr(escapeduri, ':') != NULL ? "./" : "", escapeduri, escapedhtml, MAXIMUM(namewidth, 0), " ", tmstr, "-") == -1) skip = 1; } else if (S_ISREG(st->st_mode)) { if (evbuffer_add_printf(evb, - "<a href=\"%s\">%s</a>%*s%s%20llu\n", + "<a href=\"%s%s\">%s</a>%*s%s%20llu\n", + strchr(escapeduri, ':') != NULL ? "./" : "", escapeduri, escapedhtml, MAXIMUM(namewidth, 0), " ", tmstr, st->st_size) == -1) |