45 |
my $class=shift; |
my $class=shift; |
46 |
my $relPath=shift; |
my $relPath=shift; |
47 |
my $client=shift; |
my $client=shift; |
48 |
|
|
49 |
|
&::syslog('debug',"Meteor::Document: Request received for '%s'",$relPath); |
50 |
|
|
51 |
my $doc=$class->documentForPath($relPath); |
my $doc=$class->documentForPath($relPath); |
52 |
|
|
135 |
$relPath=~s/^[\/]*//; |
$relPath=~s/^[\/]*//; |
136 |
$relPath=~s/[\/]*$//; |
$relPath=~s/[\/]*$//; |
137 |
|
|
|
# split into path components |
|
|
my @pathComponents=split(/[\/]+/,$relPath); |
|
138 |
|
|
139 |
# Check components |
# NOTE: With the right strings the code below triggers a bug in |
140 |
foreach (@pathComponents) |
# perl (5.8.6 currently) that will result in messages like |
141 |
|
# |
142 |
|
# Attempt to free unreferenced scalar |
143 |
|
# |
144 |
|
# and an eventual crash. |
145 |
|
# |
146 |
|
# So it was replaced with the more naive code following this |
147 |
|
# commented out code. |
148 |
|
# |
149 |
|
# # split into path components |
150 |
|
# my @pathComponents=split(/[\/]+/,$relPath); |
151 |
|
# |
152 |
|
# # Check components |
153 |
|
# foreach (@pathComponents) |
154 |
|
# { |
155 |
|
# # Very strict: We only allow alphanumeric characters, dash and |
156 |
|
# # underscore, followed by any number of extensions that also |
157 |
|
# # only allow the above characters. |
158 |
|
# unless(/^[a-z0-9\-\_][a-z0-9\-\_\.]*$/i) |
159 |
|
# { |
160 |
|
# &::syslog('debug', |
161 |
|
# "Meteor::Document: Rejecting path '%s' due to invalid component '%s'", |
162 |
|
# $relPath,$_ |
163 |
|
# ); |
164 |
|
# |
165 |
|
# return undef; |
166 |
|
# } |
167 |
|
# } |
168 |
|
# |
169 |
|
#my $path=$::CONF{'SubscriberDocumentRoot'}.'/'.join('/',@pathComponents); |
170 |
|
|
171 |
|
# |
172 |
|
# Check for all alphanumeric or dash, underscore, dot and slash |
173 |
|
# |
174 |
|
unless($relPath=~/^[a-z0-9\-\_\.\/]*$/i) |
175 |
{ |
{ |
176 |
# Very strict: We only allow alphanumric characters, dash and |
&::syslog('debug', |
177 |
# underscore, followed by any number of extensions that also |
"Meteor::Document: Rejecting path '%s' due to invalid characters", |
178 |
# only allow the above characters. |
$relPath |
179 |
unless(/^[a-z0-9\-\_][a-z0-9\-\_\.]*$/i) |
); |
180 |
{ |
|
181 |
&::syslog('debug', |
return undef; |
182 |
"Meteor::Document: Rejecting path '%s' due to invalid component '%s'", |
} |
183 |
$relPath,$_ |
# |
184 |
); |
# Don't allow '..' |
185 |
|
# |
186 |
return undef; |
if(index($relPath,'..')>=0) |
187 |
} |
{ |
188 |
|
&::syslog('debug', |
189 |
|
"Meteor::Document: Rejecting path '%s' due to invalid sequence '..'", |
190 |
|
$relPath |
191 |
|
); |
192 |
|
|
193 |
|
return undef; |
194 |
} |
} |
195 |
|
|
196 |
my $path=$::CONF{'SubscriberDocumentRoot'}.'/'.join('/',@pathComponents); |
my $path=$::CONF{'SubscriberDocumentRoot'}.'/'.$relPath; |
197 |
|
|
198 |
# If it is a directory, append DirectoryIndex config value |
# If it is a directory, append DirectoryIndex config value |
199 |
$path.='/'.$::CONF{'DirectoryIndex'} if(-d $path); |
$path.='/'.$::CONF{'DirectoryIndex'} if(-d $path); |
257 |
} |
} |
258 |
|
|
259 |
1; |
1; |
|
############################################################################EOF |
|
260 |
|
############################################################################EOF |