system/serenity
system/serenity
1
0
Fork 0
mirror of https://github.com/SerenityOS/serenity synced 2024-10-07 00:19:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

WebServer: Return 403 for a GET request to an inaccessible path

Browse source 
Previously, trying to access a non-readable file would cause a
connection reset in the browser; trying to access a non-executable
directory would show a completely empty directory listing.
This commit is contained in:
Tim Ledbetter 2023-09-15 18:05:25 +01:00 committed by Andrew Kaster
parent b2f0c50376
commit c9e4a82c04
1 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
Userland/Services/WebServer/Client.cpp
View file

@ -138,6 +138,12 @@ ErrorOr<bool> Client::handle_request(HTTP::HttpRequest const& request)
auto index_html_path = TRY(String::formatted("{}/index.html", real_path));
if (!FileSystem::exists(index_html_path)) {
auto is_searchable_or_error = Core::System::access(real_path.bytes_as_string_view(), X_OK);
if (is_searchable_or_error.is_error()) {
TRY(send_error_response(403, request));
return false;
}
TRY(handle_directory_listing(requested_path, real_path, request));
return true;
}
@ -149,6 +155,12 @@ ErrorOr<bool> Client::handle_request(HTTP::HttpRequest const& request)
return false;
}
auto is_readable_or_error = Core::System::access(real_path.bytes_as_string_view(), R_OK);
if (is_readable_or_error.is_error()) {
TRY(send_error_response(403, request));
return false;
}
if (FileSystem::is_device(real_path.bytes_as_string_view())) {
TRY(send_error_response(403, request));
return false;