Commit 31a0c7e628b39fedc8a0d64181a27601457bef59
2024-09-10T20:39:44
do not follow ../
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104
diff --git a/README.md b/README.md
index a81750e..ab5f3d1 100644
--- a/README.md
+++ b/README.md
@@ -553,6 +553,7 @@ serving files for display or download (Web 1.0).
- ./app/views/
- libkc3
+ - evaluation order for && and ||
- operators dispatch
- list of matching operators (facts_with)
- base-specific big floats
diff --git a/lib/kc3/0.1/httpd.kc3 b/lib/kc3/0.1/httpd.kc3
index ad19859..23cb123 100644
--- a/lib/kc3/0.1/httpd.kc3
+++ b/lib/kc3/0.1/httpd.kc3
@@ -218,17 +218,23 @@ defmodule HTTPd do
}
def static_controller = fn (request) {
- path = root_dir + request.url
- render = if File.exists?(path) do
- if File.is_directory?(path) do
- directory_page
- else
- show_page
- end
- else
- error_404_page
- end
+ render = if (! Str.starts_with(request.url, "/") ||
+ Str.has_str?(request.url, "/..")) do
+ error_404_page
+ else
+ path = root_dir + request.url
+ if ! File.exists?(path) do
+ error_404_page
+ else
+ if File.is_directory?(path) do
+ directory_page
+ else
+ show_page
+ end
+ end
+ end
render(request)
+ end
}
def_route("/", static_controller)
diff --git a/lib/kc3/0.1/str.facts b/lib/kc3/0.1/str.facts
index 8dfba05..755bc8d 100644
--- a/lib/kc3/0.1/str.facts
+++ b/lib/kc3/0.1/str.facts
@@ -20,3 +20,6 @@ replace {Str.slice, :symbol_value, fn (str, start, end_) {
add {Str, :symbol, Str.starts_with?}
replace {Str.starts_with?, :symbol_value,
cfn Bool "str_starts_with" (Str, Str, Result)}
+add {Str, :symbol, Str.has_str?}
+replace {Str.has_str?, :symbol_value,
+ cfn Bool "str_has_str" (Str, Str, Result)}
diff --git a/libkc3/str.c b/libkc3/str.c
index c5dba48..755251f 100644
--- a/libkc3/str.c
+++ b/libkc3/str.c
@@ -265,6 +265,25 @@ bool * str_has_reserved_characters (const s_str *src, bool *dest)
return dest;
}
+bool * str_has_str (const s_str *src, const s_str *search, bool *dest)
+{
+ uw offset;
+ offset = 0;
+ while (1) {
+ if (src->size - offset < search->size) {
+ *dest = false;
+ return dest;
+ }
+ if (! memcmp(src->ptr.pchar + offset, search->ptr.pchar,
+ search->size)) {
+ *dest = true;
+ return dest;
+ }
+ offset++;
+ }
+ return NULL;
+}
+
s_str * str_init (s_str *str, char *free, uw size, const char *p)
{
s_str tmp = {0};
diff --git a/libkc3/str.h b/libkc3/str.h
index 18294c6..1b9b7b8 100644
--- a/libkc3/str.h
+++ b/libkc3/str.h
@@ -101,6 +101,8 @@ bool * str_ends_with (const s_str *str, const s_str *end,
bool *dest);
bool * str_has_reserved_characters (const s_str *src,
bool *dest);
+bool * str_has_str (const s_str *src, const s_str *search,
+ bool *dest);
sw str_length_utf8 (const s_str *str);
bool str_parse_eval (const s_str *str, s_tag *dest);
sw str_peek_bool (const s_str *str, bool *dest);