Upstream
/
BlueMap
mirror of https://github.com/BlueMap-Minecraft/BlueMap.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Prevent the integrated webserver from sending raw php files

This commit is contained in:
Lukas Rieger (Blue) 2023-02-15 21:10:23 +01:00
parent bce498955f
commit a0f34d3d96
No known key found for this signature in database
GPG Key ID: 2D09EC5ED2687FF2
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
BlueMapCommon/src/main/java/de/bluecolored/bluemap/common/web/FileRequestHandler.java
View File

@ -51,13 +51,11 @@ public class FileRequestHandler implements HttpRequestHandler {
@Override @Override
public HttpResponse handle(HttpRequest request) { public HttpResponse handle(HttpRequest request) {
if ( if (
!request.getMethod().equalsIgnoreCase("GET") && !request.getMethod().equalsIgnoreCase("GET")
!request.getMethod().equalsIgnoreCase("POST") ) return new HttpResponse(HttpStatusCode.BAD_REQUEST);
) return new HttpResponse(HttpStatusCode.NOT_IMPLEMENTED);
HttpResponse response = generateResponse(request); HttpResponse response = generateResponse(request);
return response; return response;
} }
@ -103,6 +101,11 @@ public class FileRequestHandler implements HttpRequestHandler {
return new HttpResponse(HttpStatusCode.NOT_FOUND); return new HttpResponse(HttpStatusCode.NOT_FOUND);
} }
// don't send php files
if (file.getName().endsWith(".php")) {
return new HttpResponse(HttpStatusCode.FORBIDDEN);
}
// check if file is still in web-root and is not a directory // check if file is still in web-root and is not a directory
if (!file.toPath().normalize().startsWith(webRoot) || file.isDirectory()){ if (!file.toPath().normalize().startsWith(webRoot) || file.isDirectory()){
return new HttpResponse(HttpStatusCode.FORBIDDEN); return new HttpResponse(HttpStatusCode.FORBIDDEN);