Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | In the althttpd.c webserver, relax the constraint that filenames cannot begin with "." or "-" for the special "/.well-known/" path. The constraint remains for any URL that does not begin with "/.well-known/". And ".." is still disallowed. This change is necessary due to recent changes to the LetsEncrypt certbot. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
7027e3e86dfe32f4124f49baf88769f1 |
User & Date: | drh 2020-03-03 13:59:11.467 |
Context
2020-03-03
| ||
14:07 | Update the althttpd documentation. (check-in: c7f0891d15 user: drh tags: trunk) | |
13:59 | In the althttpd.c webserver, relax the constraint that filenames cannot begin with "." or "-" for the special "/.well-known/" path. The constraint remains for any URL that does not begin with "/.well-known/". And ".." is still disallowed. This change is necessary due to recent changes to the LetsEncrypt certbot. (check-in: 7027e3e86d user: drh tags: trunk) | |
2020-02-25
| ||
20:57 | Initial documentation explaining the NUL characters can appear in the middle of TEXT strings and what to do about it. (check-in: e2299b8b80 user: drh tags: trunk) | |
Changes
Changes to misc/althttpd.c.
︙ | ︙ | |||
30 31 32 33 34 35 36 | ** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** ** (3) Any file or directory whose name begins with "." or "-" is ignored, | | > | | 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | ** request header. If there is no HTTP_HOST header or if the ** corresponding host directory does not exist, then the ** "default.website" is used. If the HTTP_HOST header contains any ** charaters other than [a-zA-Z0-9_.,*~/] then a 403 error is ** generated. ** ** (3) Any file or directory whose name begins with "." or "-" is ignored, ** except if the URL begins with "/.well-known/" then initial "." and ** "-" characters are allowed, but not initial "..". The exception is ** for RFC-5785 to allow letsencrypt or certbot to generate a TLS cert ** using webroot. ** ** (4) Characters other than [0-9a-zA-Z,-./:_~] and any %HH characters ** escapes in the filename are all translated into "_". This is ** a defense against cross-site scripting attacks and other mischief. ** ** (5) Executable files are run as CGI. Files whose name ends with ".scgi" |
︙ | ︙ | |||
1840 1841 1842 1843 1844 1845 1846 | /* Do not allow "/." or "/-" to to occur anywhere in the entity name. ** This prevents attacks involving ".." and also allows us to create ** files and directories whose names begin with "-" or "." which are ** invisible to the webserver. ** ** Exception: Allow the "/.well-known/" prefix in accordance with | | | | < > > > > | | 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 | /* Do not allow "/." or "/-" to to occur anywhere in the entity name. ** This prevents attacks involving ".." and also allows us to create ** files and directories whose names begin with "-" or "." which are ** invisible to the webserver. ** ** Exception: Allow the "/.well-known/" prefix in accordance with ** RFC-5785. */ for(z=zScript; *z; z++){ if( *z=='/' && (z[1]=='.' || z[1]=='-') ){ if( strncmp(zScript,"/.well-known/",13)==0 && (z[1]!='.' || z[2]!='.') ){ /* Exception: Allow "/." and "/-" for URLs that being with ** "/.well-known/". But do not allow "/..". */ continue; } NotFound(300); /* LOG: Path element begins with "." or "-" */ } } /* Figure out what the root of the filesystem should be. If the ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the ** port number from the end (if any), convert all characters to lower ** case, and convert non-alphanumber characters (including ".") to "_". |
︙ | ︙ |