X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fmodules%2Fm_httpd.cpp;h=f3ec3298bd8823b154b4c9fb5017159ba7bea800;hb=b4a174ee9c32d62ea6bf010e837e8c5b1c3d36a3;hp=8eb44a03ba79f2f12c7455f67e3cb7f507100b26;hpb=4a6fedd9324d87349a806c9c1d0ae6e7d3c1fd38;p=user%2Fhenk%2Fcode%2Finspircd.git

diff --git a/src/modules/m_httpd.cpp b/src/modules/m_httpd.cpp
index 8eb44a03b..f3ec3298b 100644
--- a/src/modules/m_httpd.cpp
+++ b/src/modules/m_httpd.cpp
@@ -3,9 +3,9 @@
  *
  *   Copyright (C) 2019 linuxdaemon <linuxdaemon.irc@gmail.com>
  *   Copyright (C) 2018 edef <edef@edef.eu>
- *   Copyright (C) 2013-2014, 2017-2019 Sadie Powell <sadie@witchery.services>
+ *   Copyright (C) 2013-2014, 2017-2020 Sadie Powell <sadie@witchery.services>
  *   Copyright (C) 2012-2016 Attila Molnar <attilamolnar@hush.com>
- *   Copyright (C) 2012, 2019 Robby <robby@chatbelgie.be>
+ *   Copyright (C) 2012 Robby <robby@chatbelgie.be>
  *   Copyright (C) 2009 Uli Schlachter <psychon@inspircd.org>
  *   Copyright (C) 2009 Daniel De Graaf <danieldg@inspircd.org>
  *   Copyright (C) 2008 Robin Burchell <robin+git@viroteck.net>
@@ -264,14 +264,18 @@ class HttpServerSocket : public BufferedSocket, public Timer, public insp::intru
 		Close();
 	}
 
-	void SendHTTPError(unsigned int response)
+	void SendHTTPError(unsigned int response, const char* errstr = NULL)
 	{
+		if (!errstr)
+			errstr = http_status_str((http_status)response);
+
+		ServerInstance->Logs->Log(MODNAME, LOG_DEBUG, "Sending HTTP error %u: %s", response, errstr);
 		static HTTPHeaders empty;
 		std::string data = InspIRCd::Format(
 			"<html><head></head><body style='font-family: sans-serif; text-align: center'>"
 			"<h1 style='font-size: 48pt'>Error %u</h1><h2 style='font-size: 24pt'>%s</h2><hr>"
 			"<small>Powered by <a href='https://www.inspircd.org'>InspIRCd</a></small></body></html>",
-			response, http_status_str((http_status)response));
+			response, errstr);
 
 		Page(data, response, &empty);
 	}
@@ -289,7 +293,7 @@ class HttpServerSocket : public BufferedSocket, public Timer, public insp::intru
 		else
 			rheaders.RemoveHeader("Content-Type");
 
-		/* Supporting Connection: keep-alive causes a whole world of hurt syncronizing timeouts,
+		/* Supporting Connection: keep-alive causes a whole world of hurt synchronizing timeouts,
 		 * so remove it, its not essential for what we need.
 		 */
 		rheaders.SetHeader("Connection", "Close");
@@ -303,8 +307,10 @@ class HttpServerSocket : public BufferedSocket, public Timer, public insp::intru
 		if (parser.upgrade || HTTP_PARSER_ERRNO(&parser))
 			return;
 		http_parser_execute(&parser, &parser_settings, recvq.data(), recvq.size());
-		if (parser.upgrade || HTTP_PARSER_ERRNO(&parser))
+		if (parser.upgrade)
 			SendHTTPError(status_code ? status_code : 400);
+		else if (HTTP_PARSER_ERRNO(&parser))
+			SendHTTPError(status_code ? status_code : 400, http_errno_description((http_errno)parser.http_errno));
 	}
 
 	void ServeData()
@@ -345,7 +351,32 @@ class HttpServerSocket : public BufferedSocket, public Timer, public insp::intru
 			return false;
 
 		if (url.field_set & (1 << UF_PATH))
-			out.path = uri.substr(url.field_data[UF_PATH].off, url.field_data[UF_PATH].len);
+		{
+			// Normalise the path.
+			std::vector<std::string> pathsegments;
+			irc::sepstream pathstream(uri.substr(url.field_data[UF_PATH].off, url.field_data[UF_PATH].len), '/');
+			for (std::string pathsegment; pathstream.GetToken(pathsegment); )
+			{
+				if (pathsegment == ".")
+				{
+					// Stay at the current level.
+					continue;
+				}
+
+				if (pathsegment == "..")
+				{
+					// Traverse up to the previous level.
+					if (!pathsegments.empty())
+						pathsegments.pop_back();
+					continue;
+				}
+
+				pathsegments.push_back(pathsegment);
+			}
+
+			out.path.reserve(url.field_data[UF_PATH].len);
+			out.path.append("/").append(stdalgo::string::join(pathsegments, '/'));
+		}
 
 		if (url.field_set & (1 << UF_FRAGMENT))
 			out.fragment = uri.substr(url.field_data[UF_FRAGMENT].off, url.field_data[UF_FRAGMENT].len);