Prevent the integrated webserver from sending raw php files

This commit is contained in:
Lukas Rieger (Blue) 2023-02-15 21:10:23 +01:00
parent bce498955f
commit a0f34d3d96
No known key found for this signature in database
GPG Key ID: 2D09EC5ED2687FF2

View File

@ -51,13 +51,11 @@ public FileRequestHandler(Path webRoot) {
@Override
public HttpResponse handle(HttpRequest request) {
if (
!request.getMethod().equalsIgnoreCase("GET") &&
!request.getMethod().equalsIgnoreCase("POST")
) return new HttpResponse(HttpStatusCode.NOT_IMPLEMENTED);
!request.getMethod().equalsIgnoreCase("GET")
) return new HttpResponse(HttpStatusCode.BAD_REQUEST);
HttpResponse response = generateResponse(request);
return response;
}
@ -103,6 +101,11 @@ private HttpResponse generateResponse(HttpRequest request) {
return new HttpResponse(HttpStatusCode.NOT_FOUND);
}
// don't send php files
if (file.getName().endsWith(".php")) {
return new HttpResponse(HttpStatusCode.FORBIDDEN);
}
// check if file is still in web-root and is not a directory
if (!file.toPath().normalize().startsWith(webRoot) || file.isDirectory()){
return new HttpResponse(HttpStatusCode.FORBIDDEN);