dirk
/
honk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

shouldn't need to query escape meme names, and don't allow / to prevent traversal

This commit is contained in:
Ted Unangst 2019-11-26 13:47:33 -05:00
parent ef845b2a2c
commit 12f7cf6ec3
1 changed files with 4 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
web.go
View File

@ -2025,21 +2025,13 @@ func servehtml(w http.ResponseWriter, r *http.Request) {
}
}
func serveemu(w http.ResponseWriter, r *http.Request) {
xid := mux.Vars(r)["xid"]
emu, err := url.QueryUnescape(xid)
if err != nil {
log.Print(err)
}
emu := mux.Vars(r)["emu"]
w.Header().Set("Cache-Control", "max-age="+somedays())
http.ServeFile(w, r, dataDir+"/emus/"+emu)
}
func servememe(w http.ResponseWriter, r *http.Request) {
xid := mux.Vars(r)["xid"]
meme, err := url.QueryUnescape(xid)
if err != nil {
log.Print(err)
}
meme := mux.Vars(r)["meme"]
w.Header().Set("Cache-Control", "max-age="+somedays())
http.ServeFile(w, r, dataDir+"/memes/"+meme)
@ -2289,8 +2281,8 @@ func serve() {
getters.HandleFunc("/o", thelistingoftheontologies)
getters.HandleFunc("/o/{name:.+}", showontology)
getters.HandleFunc("/d/{xid:[[:alnum:].]+}", servefile)
getters.HandleFunc("/emu/{xid:.+}", serveemu)
getters.HandleFunc("/meme/{xid:.+}", servememe)
getters.HandleFunc("/emu/{emu:[^/]+}", serveemu)
getters.HandleFunc("/meme/{meme:[^/]+}", servememe)
getters.HandleFunc("/.well-known/webfinger", fingerlicker)
getters.HandleFunc("/server", serveractor)