Upstream
/
BlueMap
mirror of https://github.com/BlueMap-Minecraft/BlueMap.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Prevent the integrated webserver from sending raw php files

This commit is contained in:
Lukas Rieger (Blue) 2023-02-15 21:10:23 +01:00
parent bce498955f
commit a0f34d3d96
No known key found for this signature in database
GPG Key ID: 2D09EC5ED2687FF2
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
View File

@ -51,13 +51,11 @@ public class FileRequestHandler implements HttpRequestHandler {
@Override
public HttpResponse handle(HttpRequest request) {
if (
!request.getMethod().equalsIgnoreCase("GET") &&
!request.getMethod().equalsIgnoreCase("POST")
) return new HttpResponse(HttpStatusCode.NOT_IMPLEMENTED);
!request.getMethod().equalsIgnoreCase("GET")
) return new HttpResponse(HttpStatusCode.BAD_REQUEST);
HttpResponse response = generateResponse(request);
return response;
}
@ -103,6 +101,11 @@ public class FileRequestHandler implements HttpRequestHandler {
return new HttpResponse(HttpStatusCode.NOT_FOUND);
}
// don't send php files
if (file.getName().endsWith(".php")) {
return new HttpResponse(HttpStatusCode.FORBIDDEN);
}
// check if file is still in web-root and is not a directory
if (!file.toPath().normalize().startsWith(webRoot) || file.isDirectory()){
return new HttpResponse(HttpStatusCode.FORBIDDEN);