Documentation Source Text

Check-in [adbefa195f]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Tighten and formalize the hack in althttpd that allows .well-known path prefixes on URIs.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: adbefa195f16f787622ad0e1c6857fcc4d87608d
User & Date: drh 2017-03-14 23:28:20
Context
2017-03-15
13:56
Preliminary documentation for the .sha3sum and .selftest commands of the CLI. check-in: a4e4f94863 user: drh tags: trunk
2017-03-14
23:28
Tighten and formalize the hack in althttpd that allows .well-known path prefixes on URIs. check-in: adbefa195f user: drh tags: trunk
02:17
Modify althttpd.c to allow web content in the ".well-known" directory. check-in: 10a66e4535 user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to misc/althttpd.c.

1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
  sanitizeString(zScript);

  /* Do not allow "/." or "/-" to to occur anywhere in the entity name.
  ** This prevents attacks involving ".." and also allows us to create
  ** files and directories whose names begin with "-" or "." which are
  ** invisible to the webserver.
  **
  ** Exception:  Do allow "/.well-known/" so that the letencrypt --webroot
  ** option will work.
  */
  for(z=zScript; *z; z++){
    if( *z=='/' && (z[1]=='.' || z[1]=='-')
     && strncmp(z,"/.well-known/",13)!=0
    ){
       NotFound(__LINE__); /* LOG: Path element begins with "." or "-" */
    }
  }

  /* Figure out what the root of the filesystem should be.  If the
  ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the







|
|



|







1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
  sanitizeString(zScript);

  /* Do not allow "/." or "/-" to to occur anywhere in the entity name.
  ** This prevents attacks involving ".." and also allows us to create
  ** files and directories whose names begin with "-" or "." which are
  ** invisible to the webserver.
  **
  ** Exception:  Allow the "/.well-known/" prefix in accordance with
  ** RFC-5785
  */
  for(z=zScript; *z; z++){
    if( *z=='/' && (z[1]=='.' || z[1]=='-')
     && (z>zScript || strncmp(z,"/.well-known/",13)!=0)
    ){
       NotFound(__LINE__); /* LOG: Path element begins with "." or "-" */
    }
  }

  /* Figure out what the root of the filesystem should be.  If the
  ** HTTP_HOST parameter exists (stored in zHttpHost) then remove the