Browse Source

Reject requests that contain backslash in path

PR #18626.
Closes #18618.
adaptive-webui-19844
Vladimir Golovnev 2 years ago committed by GitHub
parent
commit
58a654a70f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 11
      src/webui/webapplication.cpp

11
src/webui/webapplication.cpp

@ -173,9 +173,14 @@ WebApplication::~WebApplication()
void WebApplication::sendWebUIFile() void WebApplication::sendWebUIFile()
{ {
const QStringList pathItems {request().path.split(u'/', Qt::SkipEmptyParts)}; if (request().path.contains(u'\\'))
if (pathItems.contains(u".") || pathItems.contains(u"..")) throw BadRequestHTTPError();
throw InternalServerErrorHTTPError();
if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
; pathItems.contains(u".") || pathItems.contains(u".."))
{
throw BadRequestHTTPError();
}
const QString path = (request().path != u"/") const QString path = (request().path != u"/")
? request().path ? request().path

Loading…
Cancel
Save