changeset
adds resource name validation
Thu, 03 Aug 2017 11:38:41 +0200
- author
- Olaf Wintermann <olaf.wintermann@gmail.com>
- date
- Thu, 03 Aug 2017 11:38:41 +0200
- changeset 268
- 2610eecfc5e5
- parent 267
- 171498cb2137
- child 269
- c89633916e36
adds resource name validation
crypto-name could contain path separators
| libidav/resource.c | file | annotate | diff | comparison | revisions |
--- a/libidav/resource.c Thu Aug 03 10:37:52 2017 +0200 +++ b/libidav/resource.c Thu Aug 03 11:38:41 2017 +0200 @@ -79,15 +79,25 @@ } DavResource* dav_resource_new_full(DavSession *sn, char *parent_path, char *name, char *href) { + sstr_t n = sstr(name); + // the name must not contain path separators + for(int i=0;i<n.length-1;i++) { + char c = n.ptr[i]; + if(c == '/' || c == '\\') { + n = sstr(util_resource_name(href)); + break; + } + } + // remove trailing '/' + if(n.length > 0 && n.ptr[n.length-1] == '/') { + n.length--; + } + DavResource *res = ucx_mempool_calloc(sn->mp, 1, sizeof(DavResource)); res->session = sn; // set name, path and href - sstr_t n = sstr(name); res->name = sstrdup_a(sn->mp->allocator, n).ptr; - if(n.length > 0 && n.ptr[n.length-1] == '/') { - res->name[n.length-1] = '\0'; - } char *path = util_concat_path(parent_path, name); res->path = dav_session_strdup(sn, path);
