d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-02-02 09:55:55 +00:00
Code Issues Projects Releases Wiki Activity

Reject requests that contain backslash in path

Browse Source 
PR #18626.
Closes #18618.
This commit is contained in:
Vladimir Golovnev 2023-02-27 16:50:50 +03:00 committed by GitHub
parent ff0f3b4975
commit 58a654a70f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/webui/webapplication.cpp
View File

@ -173,9 +173,14 @@ WebApplication::~WebApplication()
void WebApplication::sendWebUIFile()
{
const QStringList pathItems {request().path.split(u'/', Qt::SkipEmptyParts)};
if (pathItems.contains(u".") || pathItems.contains(u".."))
throw InternalServerErrorHTTPError();
if (request().path.contains(u'\\'))
throw BadRequestHTTPError();
if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
; pathItems.contains(u".") || pathItems.contains(u".."))
{
throw BadRequestHTTPError();
}
const QString path = (request().path != u"/")
? request().path