mirrors/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2024-11-26 03:06:37 +03:00
Code Issues Projects Releases Packages Wiki Activity

Reject requests that contain backslash in path

Browse source 
PR #18626.
Closes #18618.
This commit is contained in:
Vladimir Golovnev 2023-02-27 16:50:50 +03:00 committed by GitHub
parent ff0f3b4975
commit 58a654a70f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/webui/webapplication.cpp
View file

@ -173,9 +173,14 @@ WebApplication::~WebApplication()
void WebApplication::sendWebUIFile()
{
const QStringList pathItems {request().path.split(u'/', Qt::SkipEmptyParts)};
if (pathItems.contains(u".") || pathItems.contains(u".."))
throw InternalServerErrorHTTPError();
if (request().path.contains(u'\\'))
throw BadRequestHTTPError();
if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
; pathItems.contains(u".") || pathItems.contains(u".."))
{
throw BadRequestHTTPError();
}
const QString path = (request().path != u"/")
? request().path