Mercurial > blahgd > experimental

changeset 1046:36c1bd8ea8db

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
static: use filename from uri_info instead of from the client The uri_info filename does *not* have the prefix. This didn't matter when blahgd was hosted at / URI prefix, but makes a big difference with other prefixes (e.g., /blahg/). Signed-off-by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
author Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
date Thu, 13 Aug 2020 10:55:04 -0400
parents e719679a8439
children 29e1a502b571
files static.c
diffstat 1 files changed, 4 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/static.c	Thu Aug 13 10:51:57 2020 -0400
+++ b/static.c	Thu Aug 13 10:55:04 2020 -0400
@@ -93,18 +93,15 @@
 	info = get_uri_info(uri);
 	ASSERT(info);
 
-	/* SCGI_DOCUMENT_URI comes with a leading /, remove it. */
-	uri++;
-
 	snprintf(path, sizeof(path), "%s/static/%s", str_cstr(config.theme_dir),
-		 uri);
+		 info->uri);
 
 	str_putref(uri_str);
 
 	/*
-	 * We assume that the URI is relative to the theme's static subdir.
-	 * Since we have a whitelist of allowed URIs, whe should be safe
-	 * here.
+	 * We assume that the URI (minus the URI prefix) is relative to the
+	 * theme's static subdir.  Since we have a whitelist of allowed
+	 * URIs, we are safe from file system traversal issues.
 	 */
 	req->scgi->response.body = read_file_len(path,
 						 &req->scgi->response.bodylen);