From 85006d10f5b4f8fb2e95be479d0b7c28a42d1d46 Mon Sep 17 00:00:00 2001
From: Wilhem Barbier <wilhem.b@free.fr>
Date: Tue, 11 Jun 2019 10:33:56 +0200
Subject: Fix directory traversal bug (#4341)

Refuse to serve an URL containing `../`.
---
 src/WebAdmin.cpp | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/src/WebAdmin.cpp b/src/WebAdmin.cpp
index 335b6b94e..9082044fa 100644
--- a/src/WebAdmin.cpp
+++ b/src/WebAdmin.cpp
@@ -375,14 +375,13 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc
 		}
 	}
 
-	// Remove all "../" strings:
-	ReplaceString(FileURL, "../", "");
-
 	// Read the file contents and guess its mime-type, based on the extension:
 	AString Content = "<h2>404 Not Found</h2>";
-	AString ContentType;
+	AString ContentType = "text/html";
 	AString Path = Printf(FILE_IO_PREFIX "webadmin/files/%s", FileURL.c_str());
-	if (cFile::IsFile(Path))
+
+	// Return 404 if the file is not found, or the URL contains '../' (for security reasons)
+	if ((FileURL.find("../") == AString::npos) && cFile::IsFile(Path))
 	{
 		cFile File(Path, cFile::fmRead);
 		AString FileContent;
@@ -395,10 +394,10 @@ void cWebAdmin::HandleFileRequest(cHTTPServerConnection & a_Connection, cHTTPInc
 				ContentType = GetContentTypeFromFileExt(Path.substr(LastPointPosition + 1));
 			}
 		}
-	}
-	if (ContentType.empty())
-	{
-		ContentType = "application/unknown";
+		if (ContentType.empty())
+		{
+			ContentType = "application/unknown";
+		}
 	}
 
 	// Send the response:
-- 
cgit v1.2.3