From a29c6a0b9a618807298d2dc281e6f7bdfa73988f Mon Sep 17 00:00:00 2001
From: Jean-Philippe Orsini <jeanfi@gmail.com>
Date: Wed, 8 Jun 2016 15:16:17 +0200
Subject: [PATCH] debian package is linking jquery.js from another directory
 than psensor www dir. allowed this special dir.

---
 src/server/server.c | 48 ++++++++++++++++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 12 deletions(-)

diff --git a/src/server/server.c b/src/server/server.c
index 7e9736c..3e7bcb6 100644
--- a/src/server/server.c
+++ b/src/server/server.c
@@ -244,28 +244,52 @@ static struct MHD_Response *create_response_file(const char *nurl,
 	return NULL;
 }
 
+static int is_access_allowed(char *path)
+{
+	char *rpath;
+	int n, ret;
+
+	rpath = realpath(path, NULL);
+	if (rpath) {
+		n = strlen(server_data.www_dir);
+		if (!strncmp(server_data.www_dir, rpath, n)
+		    || !strcmp(rpath,
+			       "/usr/share/javascript/jquery/jquery.js")) {
+			ret = 1;
+		} else {
+			ret = 0;
+
+			log_err(_("Resource access refused %s real path is %s"),
+				path,
+				rpath);
+		}
+
+		free(rpath);
+	} else {
+		log_err(_("Cannot get real path of %s"), path);
+
+		ret = 0;
+	}
+
+	return ret;
+}
+
 static struct MHD_Response *
 create_response(const char *nurl, const char *method, unsigned int *rp_code)
 {
-	char *page, *fpath, *rpath;
+	char *page, *fpath;
 	struct MHD_Response *resp = NULL;
-	int n;
 
 	if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) {
 		resp = create_response_api(nurl, method, rp_code);
 	} else {
 		fpath = get_path(nurl, server_data.www_dir);
 
-		rpath = realpath(fpath, NULL);
-		if (rpath) {
-			n = strlen(server_data.www_dir);
-			if (!strncmp(server_data.www_dir, rpath, n))
-				resp = create_response_file(nurl,
-							    method,
-							    rp_code,
-							    fpath);
-			free(rpath);
-		}
+		if (is_access_allowed(fpath))
+			resp = create_response_file(nurl,
+						    method,
+						    rp_code,
+						    fpath);
 
 		free(fpath);
 	}
-- 
2.7.4