Apply file name sanitization for GET requests
Perform the same file name sanitization for GET requests as for PUT requests.
This commit is contained in:
parent
482653aa5c
commit
2100ca5d66
15
upload.pm
15
upload.pm
|
@ -61,11 +61,12 @@ sub handle {
|
||||||
|
|
||||||
sub handle_get_or_head {
|
sub handle_get_or_head {
|
||||||
my $r = shift;
|
my $r = shift;
|
||||||
|
my $file_path = safe_filename($r);
|
||||||
|
|
||||||
if (-r $r->filename and -f _) {
|
if (-r $file_path and -f _) {
|
||||||
$r->allow_ranges;
|
$r->allow_ranges;
|
||||||
$r->send_http_header;
|
$r->send_http_header;
|
||||||
$r->sendfile($r->filename) unless $r->header_only;
|
$r->sendfile($file_path) unless $r->header_only;
|
||||||
return OK;
|
return OK;
|
||||||
} else {
|
} else {
|
||||||
return DECLINED;
|
return DECLINED;
|
||||||
|
@ -100,8 +101,7 @@ sub handle_put {
|
||||||
|
|
||||||
sub handle_put_body {
|
sub handle_put_body {
|
||||||
my $r = shift;
|
my $r = shift;
|
||||||
my $safe_uri = $r->uri =~ s|[^\p{Alnum}/_.-]|_|gr;
|
my $file_path = safe_filename($r);
|
||||||
my $file_path = substr($r->filename, 0, -length($r->uri)) . $safe_uri;
|
|
||||||
my $dir_path = dirname($file_path);
|
my $dir_path = dirname($file_path);
|
||||||
|
|
||||||
make_path($dir_path, {chmod => $dir_mode, error => \my $error});
|
make_path($dir_path, {chmod => $dir_mode, error => \my $error});
|
||||||
|
@ -180,6 +180,13 @@ sub add_custom_headers {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub safe_filename {
|
||||||
|
my $r = shift;
|
||||||
|
my $safe_uri = $r->uri =~ s|[^\p{Alnum}/_.-]|_|gr;
|
||||||
|
|
||||||
|
return substr($r->filename, 0, -length($r->uri)) . $safe_uri;
|
||||||
|
}
|
||||||
|
|
||||||
sub safe_eq {
|
sub safe_eq {
|
||||||
my $a = shift;
|
my $a = shift;
|
||||||
my $b = shift;
|
my $b = shift;
|
||||||
|
|
Loading…
Reference in New Issue