From 13042c5b5a9e367e4f7f8552f3cbf1041d3b9902 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Orsini <jeanfi@gmail.com>
Date: Wed, 19 Nov 2014 14:08:45 +0100
Subject: [PATCH] psensor-server: avoid to retrieve files which are not under
 the webserver directory.

---
 NEWS                |  6 ++++++
 src/server/server.c | 32 +++++++++++++++++++++++++-------
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/NEWS b/NEWS
index 5154de6..91151e9 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,12 @@
 Psensor NEWS
 ============
 
+v1.1.4
+------
+
+* psensor-server: avoid to retrieve files which are not under the
+  webserver directory.
+
 v1.1.3
 ------
 
diff --git a/src/server/server.c b/src/server/server.c
index 5862586..6c5d979 100644
--- a/src/server/server.c
+++ b/src/server/server.c
@@ -23,6 +23,7 @@
 #include <libintl.h>
 #define _(str) gettext(str)
 
+#include <limits.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -245,14 +246,25 @@ static struct MHD_Response *create_response_file(const char *nurl,
 static struct MHD_Response *
 create_response(const char *nurl, const char *method, unsigned int *rp_code)
 {
+	char *page, *fpath, *rpath;
 	struct MHD_Response *resp = NULL;
+	int n;
 
 	if (!strncmp(nurl, URL_BASE_API_1_1, strlen(URL_BASE_API_1_1))) {
 		resp = create_response_api(nurl, method, rp_code);
 	} else {
-		char *fpath = get_path(nurl, server_data.www_dir);
-
-		resp = create_response_file(nurl, method, rp_code, fpath);
+		fpath = get_path(nurl, server_data.www_dir);
+
+		rpath = realpath(fpath, NULL);
+		if (rpath) {
+			n = strlen(server_data.www_dir);
+			if (!strncmp(server_data.www_dir, rpath, n))
+				resp = create_response_file(nurl,
+							    method,
+							    rp_code,
+							    fpath);
+			free(rpath);
+		}
 
 		free(fpath);
 	}
@@ -260,7 +272,7 @@ create_response(const char *nurl, const char *method, unsigned int *rp_code)
 	if (resp)
 		return resp;
 
-	char *page = strdup(PAGE_NOT_FOUND);
+	page = strdup(PAGE_NOT_FOUND);
 	*rp_code = MHD_HTTP_NOT_FOUND;
 
 	return MHD_create_response_from_data(strlen(page),
@@ -347,7 +359,7 @@ int main(int argc, char *argv[])
 		switch (optc) {
 		case 'w':
 			if (optarg)
-				server_data.www_dir = strdup(optarg);
+				server_data.www_dir = realpath(optarg, NULL);
 			break;
 		case 'p':
 			if (optarg)
@@ -386,8 +398,14 @@ int main(int argc, char *argv[])
 		exit(EXIT_FAILURE);
 	}
 
-	if (!server_data.www_dir)
-		server_data.www_dir = strdup(DEFAULT_WWW_DIR);
+	if (!server_data.www_dir) {
+		server_data.www_dir = realpath(DEFAULT_WWW_DIR, NULL);
+		if (!server_data.www_dir) {
+			fprintf(stderr,
+				_("Webserver directory does not exist.\n"));
+			exit(EXIT_FAILURE);
+		}
+	}
 
 	if (!log_file)
 		log_file = strdup(DEFAULT_LOG_FILE);
-- 
2.7.4