1 files changed, 22 insertions, 8 deletions

diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
index 12d71a8..8634b15 100644
--- a/libvncserver/httpd.c
+++ b/libvncserver/httpd.c
@@ -81,9 +81,7 @@
     "<HEAD><TITLE>Invalid Request</TITLE></HEAD>\n" \
     "<BODY><H1>Invalid request</H1></BODY>\n"
 
-#define OK_STR "HTTP/1.0 200 OK\r\nConnection: close\r\n\r\n"
-#define OK_STR_HTML "HTTP/1.0 200 OK\r\nConnection: close\r\nContent-Type: text/html\r\n\r\n"
-
+#define OK_STR "HTTP/1.0 200 OK\r\nConnection: close\r\n"
 
 
 static void httpProcessInput(rfbScreenInfoPtr screen);
@@ -192,7 +190,7 @@ rfbHttpCheckFds(rfbScreenInfoPtr rfbScreen)
     }
     tv.tv_sec = 0;
     tv.tv_usec = 0;
-    nfds = select(max(rfbScreen->httpListen6Sock, max(rfbScreen->httpSock,rfbScreen->httpListenSock)) + 1, &fds, NULL, NULL, &tv);
+    nfds = select(rfbMax(rfbScreen->httpListen6Sock, rfbMax(rfbScreen->httpSock,rfbScreen->httpListenSock)) + 1, &fds, NULL, NULL, &tv);
     if (nfds == 0) {
 	return;
     }
@@ -423,6 +421,14 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
        }
     }
 
+    /* Basic protection against directory traversal outside webroot */
+
+    if (strstr(fname, "..")) {
+        rfbErr("httpd: URL should not contain '..'\n");
+        rfbWriteExact(&cl, NOT_FOUND_STR, strlen(NOT_FOUND_STR));
+        httpCloseSock(rfbScreen);
+        return;
+    }
 
     /* If we were asked for '/', actually read the file index.vnc */
 
@@ -446,10 +452,18 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
         return;
     }
 
-    if(performSubstitutions) /* is the 'index.vnc' file */
-      rfbWriteExact(&cl, OK_STR_HTML, strlen(OK_STR_HTML));
-    else
-      rfbWriteExact(&cl, OK_STR, strlen(OK_STR));
+    rfbWriteExact(&cl, OK_STR, strlen(OK_STR));
+    char *ext = strrchr(fname, '.');
+    char *contentType = "";
+    if(ext && strcasecmp(ext, ".vnc") == 0)
+	contentType = "Content-Type: text/html\r\n";
+    else if(ext && strcasecmp(ext, ".css") == 0)
+	contentType = "Content-Type: text/css\r\n";
+    else if(ext && strcasecmp(ext, ".svg") == 0)
+	contentType = "Content-Type: image/svg+xml\r\n";
+    rfbWriteExact(&cl, contentType, strlen(contentType));
+    /* end the header */
+    rfbWriteExact(&cl, "\r\n", 2);
 
     while (1) {
 	int n = fread(buf, 1, BUF_SIZE-1, fd);