Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | In the althttpd.c webserver, relax the constraint that filenames cannot begin with "." or "-" for the special "/.well-known/" path. The constraint remains for any URL that does not begin with "/.well-known/". And ".." is still disallowed. This change is necessary due to recent changes to the LetsEncrypt certbot. |
|---|---|
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
7027e3e86dfe32f4124f49baf88769f1 |
| User & Date: | drh 2020-03-03 13:59:11 |
Context
|
2020-03-03
| ||
| 14:07 | Update the althttpd documentation. check-in: c7f0891d15 user: drh tags: trunk | |
| 13:59 | In the althttpd.c webserver, relax the constraint that filenames cannot begin with "." or "-" for the special "/.well-known/" path. The constraint remains for any URL that does not begin with "/.well-known/". And ".." is still disallowed. This change is necessary due to recent changes to the LetsEncrypt certbot. check-in: 7027e3e86d user: drh tags: trunk | |
|
2020-02-25
| ||
| 20:57 | Initial documentation explaining the NUL characters can appear in the middle of TEXT strings and what to do about it. check-in: e2299b8b80 user: drh tags: trunk | |
Changes
Changes to misc/althttpd.c.
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
....
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
|
** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** ** (3) Any file or directory whose name begins with "." or "-" is ignored, ** except for /.well-known/ at the top-level. The exception is for ** RFC-5785 to allow letsencrypt or certbot to generate a TLS cert ** using webroot. ** ** (4) Characters other than [0-9a-zA-Z,-./:_~] and any %HH characters ** escapes in the filename are all translated into "_". This is ** a defense against cross-site scripting attacks and other mischief. ** ** (5) Executable files are run as CGI. Files whose name ends with ".scgi" ................................................................................ /* Do not allow "/." or "/-" to to occur anywhere in the entity name. ** This prevents attacks involving ".." and also allows us to create ** files and directories whose names begin with "-" or "." which are ** invisible to the webserver. ** ** Exception: Allow the "/.well-known/" prefix in accordance with ** RFC-5785 */ for(z=zScript; *z; z++){ if( *z=='/' && (z[1]=='.' || z[1]=='-') && (z>zScript || strncmp(z,"/.well-known/",13)!=0) ){ NotFound(300); /* LOG: Path element begins with "." or "-" */ } } /* Figure out what the root of the filesystem should be. If the ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the ** port number from the end (if any), convert all characters to lower ** case, and convert non-alphanumber characters (including ".") to "_". |
|
>
|
|
|
|
<
>
>
>
>
|
|
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
....
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
|
** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** ** (3) Any file or directory whose name begins with "." or "-" is ignored, ** except if the URL begins with "/.well-known/" then initial "." and ** "-" characters are allowed, but not initial "..". The exception is ** for RFC-5785 to allow letsencrypt or certbot to generate a TLS cert ** using webroot. ** ** (4) Characters other than [0-9a-zA-Z,-./:_~] and any %HH characters ** escapes in the filename are all translated into "_". This is ** a defense against cross-site scripting attacks and other mischief. ** ** (5) Executable files are run as CGI. Files whose name ends with ".scgi" ................................................................................ /* Do not allow "/." or "/-" to to occur anywhere in the entity name. ** This prevents attacks involving ".." and also allows us to create ** files and directories whose names begin with "-" or "." which are ** invisible to the webserver. ** ** Exception: Allow the "/.well-known/" prefix in accordance with ** RFC-5785. */ for(z=zScript; *z; z++){ if( *z=='/' && (z[1]=='.' || z[1]=='-') ){ if( strncmp(zScript,"/.well-known/",13)==0 && (z[1]!='.' || z[2]!='.') ){ /* Exception: Allow "/." and "/-" for URLs that being with ** "/.well-known/". But do not allow "/..". */ continue; } NotFound(300); /* LOG: Path element begins with "." or "-" */ } } /* Figure out what the root of the filesystem should be. If the ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the ** port number from the end (if any), convert all characters to lower ** case, and convert non-alphanumber characters (including ".") to "_". |