X-Git-Url: http://git.wpitchoune.net/gitweb/?a=blobdiff_plain;f=src%2Fserver%2Fserver.c;h=6c5d979e2088523dcbaf5ec638a4757de3571975;hb=13042c5b5a9e367e4f7f8552f3cbf1041d3b9902;hp=58625868f5f1a9c2e51aacc253407730eaeb0562;hpb=8bdc685984eef93310a6ddb1683e856bf8a8131d;p=psensor.git

diff --git a/src/server/server.c b/src/server/server.c
index 5862586..6c5d979 100644
--- a/src/server/server.c
+++ b/src/server/server.c
@@ -23,6 +23,7 @@
 #include <libintl.h>
 #define _(str) gettext(str)
 
+#include <limits.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -245,14 +246,25 @@ static struct MHD_Response *create_response_file(const char *nurl,
 static struct MHD_Response *
 create_response(const char *nurl, const char *method, unsigned int *rp_code)
 {
+	char *page, *fpath, *rpath;
 	struct MHD_Response *resp = NULL;
+	int n;
 
 	if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) {
 		resp = create_response_api(nurl, method, rp_code);
 	} else {
-		char *fpath = get_path(nurl, server_data.www_dir);
-
-		resp = create_response_file(nurl, method, rp_code, fpath);
+		fpath = get_path(nurl, server_data.www_dir);
+
+		rpath = realpath(fpath, NULL);
+		if (rpath) {
+			n = strlen(server_data.www_dir);
+			if (!strncmp(server_data.www_dir, rpath, n))
+				resp = create_response_file(nurl,
+							    method,
+							    rp_code,
+							    fpath);
+			free(rpath);
+		}
 
 		free(fpath);
 	}
@@ -260,7 +272,7 @@ create_response(const char *nurl, const char *method, unsigned int *rp_code)
 	if (resp)
 		return resp;
 
-	char *page = strdup(PAGE_NOT_FOUND);
+	page = strdup(PAGE_NOT_FOUND);
 	*rp_code = MHD_HTTP_NOT_FOUND;
 
 	return MHD_create_response_from_data(strlen(page),
@@ -347,7 +359,7 @@ int main(int argc, char *argv[])
 		switch (optc) {
 		case 'w':
 			if (optarg)
-				server_data.www_dir = strdup(optarg);
+				server_data.www_dir = realpath(optarg, NULL);
 			break;
 		case 'p':
 			if (optarg)
@@ -386,8 +398,14 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	if (!server_data.www_dir)
-		server_data.www_dir = strdup(DEFAULT_WWW_DIR);
+	if (!server_data.www_dir) {
+		server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL);
+		if (!server_data.www_dir) {
+			fprintf(stderr,
+				_("Webserver directory does not exist.\n"));
+			exit(EXIT_FAILURE);
+		}
+	}
 
 	if (!log_file)
 		log_file = strdup(DEFAULT_LOG_FILE);