Synchronet now requires the libarchive development package (e.g. libarchive-dev on Debian-based Linux distros, libarchive.org for more info) to build successfully.

Commits (2)
......@@ -3007,7 +3007,6 @@ static char *get_request(http_session_t * session, char *req_line)
/* Remove port specification from vhost (if present) */
remove_port_part(session->req.vhost);
/* Sets p to point to the first character after the first slash */
p=strchr(session->req.physical_path, '/');
/*
......@@ -3149,6 +3148,15 @@ static BOOL is_legal_host(const char *host, BOOL strip_port)
return TRUE;
}
static BOOL is_legal_path(const char* path)
{
#ifdef _WIN32 // Fix for Issue 269 (NTFS Alternate Data Stream vulnerability) and other potential unexpected pathname issues on Windows
if (strchr(path, ':') != NULL)
return FALSE;
#endif
return TRUE;
}
static BOOL get_req(http_session_t * session, char *request_line)
{
char req_line[MAX_REQUEST_LINE+1];
......@@ -3199,6 +3207,10 @@ static BOOL get_req(http_session_t * session, char *request_line)
send_error(session,__LINE__,"400 Bad Request");
return FALSE;
}
if (!is_legal_path(session->req.physical_path)) {
send_error(session,__LINE__,"400 Bad Request");
return FALSE;
}
if(!get_fullpath(session)) {
send_error(session,__LINE__,error_500);
return(FALSE);
......