summaryrefslogtreecommitdiff
path: root/usr.sbin/httpd
diff options
context:
space:
mode:
authorFlorian Obser <florian@cvs.openbsd.org>2015-04-25 14:40:36 +0000
committerFlorian Obser <florian@cvs.openbsd.org>2015-04-25 14:40:36 +0000
commit8618487282f064cd4d7198b503ec5310d83f2ff8 (patch)
treedeada47e267804f826a5e3e4b4f00a20380a3f21 /usr.sbin/httpd
parent645dedbc3e9ada87db981415ff44d81372463280 (diff)
Prepend files or directories containing ":" with "./" in directory
indexes as per RFC 3986: A path segment that contains a colon character (e.g., "this:that") cannot be used as the first segment of a relative-path reference, as it would be mistaken for a scheme name. Such a segment must be preceded by a dot-segment (e.g., "./this:that") to make a relative- path reference. While here add a "/" to the end of directory names, this saves us one redirect round trip. Found the hard way & "functionality wise, OK" ajacoutot@ RFC pointer & OK benno@
Diffstat (limited to 'usr.sbin/httpd')
-rw-r--r--usr.sbin/httpd/server_file.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c
index f697504dd3c..3580bbbd323 100644
--- a/usr.sbin/httpd/server_file.c
+++ b/usr.sbin/httpd/server_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: server_file.c,v 1.51 2015/02/12 10:05:29 reyk Exp $ */
+/* $OpenBSD: server_file.c,v 1.52 2015/04/25 14:40:35 florian Exp $ */
/*
* Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -352,13 +352,15 @@ server_file_index(struct httpd *env, struct client *clt, struct stat *st)
} else if (S_ISDIR(st->st_mode)) {
namewidth -= 1; /* trailing slash */
if (evbuffer_add_printf(evb,
- "<a href=\"%s\">%s/</a>%*s%s%20s\n",
+ "<a href=\"%s%s/\">%s/</a>%*s%s%20s\n",
+ strchr(escapeduri, ':') != NULL ? "./" : "",
escapeduri, escapedhtml,
MAXIMUM(namewidth, 0), " ", tmstr, "-") == -1)
skip = 1;
} else if (S_ISREG(st->st_mode)) {
if (evbuffer_add_printf(evb,
- "<a href=\"%s\">%s</a>%*s%s%20llu\n",
+ "<a href=\"%s%s\">%s</a>%*s%s%20llu\n",
+ strchr(escapeduri, ':') != NULL ? "./" : "",
escapeduri, escapedhtml,
MAXIMUM(namewidth, 0), " ",
tmstr, st->st_size) == -1)