aboutsummaryrefslogtreecommitdiff
path: root/src/routing.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/routing.c')
-rw-r--r--src/routing.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/routing.c b/src/routing.c
index 98bb531..d5d3969 100644
--- a/src/routing.c
+++ b/src/routing.c
@@ -256,7 +256,14 @@ char *parse_request_url(const char *request_line, UrlParams *params) {
bool serve_static_file_with_mime(const char *request_path_relative_to_static, const char *mime_type) {
char full_static_path[MAX_PATH_LEN];
- if (strstr(request_path_relative_to_static, "..") != NULL) {
+ if (request_path_relative_to_static == NULL || strlen(request_path_relative_to_static) == 0) {
+ fprintf(stderr, "[ERROR] serve_static_file_with_mime: Empty path provided\n");
+ return false;
+ }
+
+ if (strstr(request_path_relative_to_static, "..") != NULL ||
+ strstr(request_path_relative_to_static, "//") != NULL ||
+ request_path_relative_to_static[0] == '/') {
fprintf(stderr, "[SECURITY] Attempted directory traversal: %s\n",
request_path_relative_to_static);
const char *forbidden_response =
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-10 09:23:28 +0000