- Fixed bug #387. content.ecpp delivers only absolute path requests

  without '..' in them.

1 files changed, 11 insertions, 10 deletions

diff --git a/pages/content.ecpp b/pages/content.ecpp
index 9fdabf3..27d827c 100644
--- a/pages/content.ecpp
+++ b/pages/content.ecpp
@@ -23,21 +23,22 @@ if (request.getArgsCount() > 0) {
 reply.setContentType(mime);
 // dsyslog("vdrlive::content::mimetype(%s)", mime.c_str());
 
-// FileCache::ptr_type f = LiveFileCache().get("/tmp/live/" + request.getPathInfo());
 string const path(request.getPathInfo());
-
 // dsyslog("vdrlive::content: path = %s", path.c_str());
 
-FileCache::ptr_type f;
-
-string const epgImgPath(LiveSetup().GetEpgImageDir());
-if (!epgImgPath.empty() && path.find(epgImgPath) != string::npos) {
-	f = LiveFileCache().get(path);
+// security checking of path. In order to not allow exploits the
+// path must be absolute and not contain any upward references (e.g '../')
+if (path.empty()) {
+	return HTTP_BAD_REQUEST;
 }
-else {
-	// dsyslog("vdrlive::content: retrieve from %s", Plugin::GetConfigDirectory().c_str());
-	f = LiveFileCache().get(Plugin::GetConfigDirectory() + "/" + path);
+if ('/' != path[0]) {
+	return HTTP_BAD_REQUEST;
 }
+if (string::npos != path.find("../", 1)) {
+	return HTTP_BAD_REQUEST;
+}
+
+FileCache::ptr_type f = LiveFileCache().get(path);
 
 if (f.get() == 0) {
 	// dsyslog("vdrlive::content: DECLINED");