diff options
| -rw-r--r-- | libvncserver/httpd.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c index 12d71a8..2a778e7 100644 --- a/libvncserver/httpd.c +++ b/libvncserver/httpd.c @@ -423,6 +423,14 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen) } } + /* Basic protection against directory traversal outside webroot */ + + if (strstr(fname, "..")) { + rfbErr("httpd: URL should not contain '..'\n"); + rfbWriteExact(&cl, NOT_FOUND_STR, strlen(NOT_FOUND_STR)); + httpCloseSock(rfbScreen); + return; + } /* If we were asked for '/', actually read the file index.vnc */ |