Always return 403 to requests for access.ars or webctrl.ini

Previously, 403 was only returned if they existed, and 404 if they didn't.

Always return 403 to requests for access.ars or webctrl.ini
6623cff0 · Deucе · 22c6721d · 6623cff0
Commit 6623cff0 authored 4 years ago by Deucе
--- a/src/sbbs3/websrvr.c
+++ b/src/sbbs3/websrvr.c
@@ -3602,14 +3602,16 @@ static BOOL check_request(http_session_t * session)
 		/* Terminate the path after the slash */
 		*(last_slash+1)=0;
 		SAFEPRINTF(str,"%saccess.ars",curdir);
-		if(!stat(str,&sb)) {
 		/* NEVER serve up an access.ars file */
+		if(!strcmp(path,str)) {
+			if(!stat(str,&sb)) {
 				lprintf(LOG_WARNING,"%04d !WARNING! access.ars support is deprecated and will be REMOVED very soon.",session->socket);
 				lprintf(LOG_WARNING,"%04d !WARNING! access.ars found at %s.",session->socket,str);
-			if(!strcmp(path,str)) {
+			}
 			send_error(session,__LINE__,"403 Forbidden");
 			return(FALSE);
 		}
+		if(!stat(str,&sb)) {
 			/* Read access.ars file */
 			if((file=fopen(str,"r"))!=NULL) {
 				fgets(session->req.ars,sizeof(session->req.ars),file);
@@ -3624,12 +3626,12 @@ static BOOL check_request(http_session_t * session)
 			truncsp(session->req.ars);
 		}
 		SAFEPRINTF(str,"%swebctrl.ini",curdir);
-		if(!stat(str,&sb)) {
 		/* NEVER serve up a webctrl.ini file */
 		if(!strcmp(path,str)) {
 			send_error(session,__LINE__,"403 Forbidden");
 			return(FALSE);
 		}
+		if(!stat(str,&sb)) {
 			/* Read webctrl.ini file */
 			if((file=fopen(str,"r"))!=NULL) {
 				/* FREE()d in this block */