From 4b1832098469645ef983802f01400cb68f15c7e3 Mon Sep 17 00:00:00 2001
From: Lauri Kasanen <cand@gmx.com>
Date: Fri, 14 Jun 2024 11:58:06 +0300
Subject: [PATCH] Fix dir traversal by percent-encoding dots

---
 common/network/websocket.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/common/network/websocket.c b/common/network/websocket.c
index 706c342..692f33c 100644
--- a/common/network/websocket.c
+++ b/common/network/websocket.c
@@ -917,6 +917,12 @@ static void servefile(ws_ctx_t *ws_ctx, const char *in, const char * const user,
 
     percent_decode(path, buf, 1);
 
+    // in case they percent-encoded dots
+    if (strstr(buf, "../")) {
+        handler_msg("Attempted dir traversal attack, rejecting\n", len);
+        goto nope;
+    }
+
     handler_msg("Requested file '%s'\n", buf);
     sprintf(fullpath, "%s/%s", settings.httpdir, buf);