Documentation Source Text

Check-in [10a66e4535]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Modify althttpd.c to allow web content in the ".well-known" directory.
Downloads: Tarball | ZIP archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 10a66e4535685a63c86945da9bfe8be52e7214e6
User & Date: drh 2017-03-14 02:17:24.695
Context
2017-03-14
23:28
Tighten and formalize the hack in althttpd that allows .well-known path prefixes on URIs. (check-in: adbefa195f user: drh tags: trunk)
02:17
Modify althttpd.c to allow web content in the ".well-known" directory. (check-in: 10a66e4535 user: drh tags: trunk)
2017-03-10
16:37
Add documentation for the SQLITE_MAX_MEMORY compile-time option. (check-in: 268f62bc5a user: drh tags: trunk)
Changes
Unified Diff Ignore Whitespace Patch
Changes to misc/althttpd.c. 
1296
1297
1298
1299
1300
1301
1302



1303
1304
1305


1306
1307
1308
1309
1310
1311
1312

  */
  sanitizeString(zScript);

  /* Do not allow "/." or "/-" to to occur anywhere in the entity name.
  ** This prevents attacks involving ".." and also allows us to create
  ** files and directories whose names begin with "-" or "." which are
  ** invisible to the webserver.



  */
  for(z=zScript; *z; z++){
    if( *z=='/' && (z[1]=='.' || z[1]=='-') ){


       NotFound(__LINE__); /* LOG: Path element begins with "." or "-" */
    }
  }

  /* Figure out what the root of the filesystem should be.  If the
  ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the
  ** port number from the end (if any), convert all characters to lower








>
>
>


|
>
>








1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317

  */
  sanitizeString(zScript);

  /* Do not allow "/." or "/-" to to occur anywhere in the entity name.
  ** This prevents attacks involving ".." and also allows us to create
  ** files and directories whose names begin with "-" or "." which are
  ** invisible to the webserver.
  **
  ** Exception:  Do allow "/.well-known/" so that the letencrypt --webroot
  ** option will work.
  */
  for(z=zScript; *z; z++){
    if( *z=='/' && (z[1]=='.' || z[1]=='-')
     && strncmp(z,"/.well-known/",13)!=0
    ){
       NotFound(__LINE__); /* LOG: Path element begins with "." or "-" */
    }
  }

  /* Figure out what the root of the filesystem should be.  If the
  ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the
  ** port number from the end (if any), convert all characters to lower