diff options
| -rw-r--r-- | lib/inets/doc/src/notes.xml | 8 | ||||
| -rw-r--r-- | lib/inets/src/http_server/httpd_request.erl | 4 | ||||
| -rw-r--r-- | lib/inets/src/inets_app/inets.appup.src | 4 |
3 files changed, 14 insertions, 2 deletions
diff --git a/lib/inets/doc/src/notes.xml b/lib/inets/doc/src/notes.xml index 60559afc2e..5b5dfdde21 100644 --- a/lib/inets/doc/src/notes.xml +++ b/lib/inets/doc/src/notes.xml @@ -69,6 +69,14 @@ <p>Own Id: OTP-9434</p> </item> + <item> + <p>[httpd] Fix httpd directory traversal on Windows. + Directory traversal was possible on Windows where + backward slash is used as directory separator. </p> + <p>Andr�s Veres-Szentkir�lyi.</p> + <p>Own Id: OTP-9561</p> + </item> + </list> </section> diff --git a/lib/inets/src/http_server/httpd_request.erl b/lib/inets/src/http_server/httpd_request.erl index 7084d9824a..90f8bdd912 100644 --- a/lib/inets/src/http_server/httpd_request.erl +++ b/lib/inets/src/http_server/httpd_request.erl @@ -312,8 +312,8 @@ validate_uri(RequestURI) -> {'EXIT',_Reason} -> {error, {bad_request, {malformed_syntax, RequestURI}}}; _ -> - Path = format_request_uri(UriNoQueryNoHex), - Path2=[X||X<-string:tokens(Path, "/"),X=/="."], %% OTP-5938 + Path = format_request_uri(UriNoQueryNoHex), + Path2 = [X||X<-string:tokens(Path, "/\\"),X=/="."], validate_path( Path2,0, RequestURI) end. diff --git a/lib/inets/src/inets_app/inets.appup.src b/lib/inets/src/inets_app/inets.appup.src index 301bc2d58a..d5fdf86a60 100644 --- a/lib/inets/src/inets_app/inets.appup.src +++ b/lib/inets/src/inets_app/inets.appup.src @@ -20,12 +20,14 @@ [ {"5.7", [ + {load_module, httpd_request, soft_purge, soft_purge, []}, {load_module, httpc_cookie, soft_purge, soft_purge, [http_util]}, {load_module, http_util, soft_purge, soft_purge, []} ] }, {"5.6", [ + {load_module, httpd_request, soft_purge, soft_purge, []}, {load_module, httpc, soft_purge, soft_purge, [httpc_manager]}, {load_module, http_transport, soft_purge, soft_purge, [http_transport]}, {load_module, httpc_cookie, soft_purge, soft_purge, [http_util]}, @@ -59,12 +61,14 @@ [ {"5.7", [ + {load_module, httpd_request, soft_purge, soft_purge, []}, {load_module, httpc_cookie, soft_purge, soft_purge, [http_util]}, {load_module, http_util, soft_purge, soft_purge, []} ] }, {"5.6", [ + {load_module, httpd_request, soft_purge, soft_purge, []}, {load_module, httpc, soft_purge, soft_purge, [httpc_manager]}, {load_module, http_transport, soft_purge, soft_purge, [http_transport]}, {load_module, httpc_cookie, soft_purge, soft_purge, [http_util]}, |