[hackers] [quark][PATCH] Don't reject /.well-known/ (see RFC 8615)

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: robert <robertrussell.72001_AT_gmail.com>
Date: Sat, 15 Aug 2020 15:32:11 -0700

Previously, all hidden targets were rejected with 403, but /.well-known/
and its contents should be an exception.

---
 http.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/http.c b/http.c
index 49b30dc..7f20c23 100644
--- a/http.c
+++ b/http.c
_AT_@ -600,8 +600,10 @@ http_send_response(int fd, const struct request *req)
 		return http_send_status(fd, S_BAD_REQUEST);
 	}
 
-	/* reject hidden target */
-	if (realtarget[0] == '.' || strstr(realtarget, "/.")) {
+	/* reject hidden target, except for /.well-known/
+	 * and its contents (see RFC 8615) */
+	if (realtarget[0] == '.' || (strstr(realtarget, "/.") &&
+		strstr(realtarget, "/.well-known/") != realtarget)) {
 		return http_send_status(fd, S_FORBIDDEN);
 	}
 
-- 
2.17.1

Received on Sun Aug 16 2020 - 00:32:11 CEST

This archive was generated by hypermail 2.3.0 : Sun Aug 16 2020 - 00:36:32 CEST