github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-08-20 13:23:34 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Reject requests that contain backslash in path

Browse source 
PR #18626.
Closes #18618.
This commit is contained in:
Vladimir Golovnev 2023-02-27 16:50:50 +03:00 committed by Vladimir Golovnev (Glassez)
commit 38c0864bf2
No known key found for this signature in database
GPG key ID: 52A2C7DEE2DFA6F7
1 changed files with 8 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/webui/webapplication.cpp
View file

@ -151,9 +151,14 @@ WebApplication::~WebApplication()
void WebApplication::sendWebUIFile()
{
const QStringList pathItems {request().path.split(u'/', Qt::SkipEmptyParts)};
if (pathItems.contains(u".") || pathItems.contains(u".."))
throw InternalServerErrorHTTPError();
if (request().path.contains(u'\\'))
throw BadRequestHTTPError();
if (const QList<QStringView> pathItems = QStringView(request().path).split(u'/', Qt::SkipEmptyParts)
; pathItems.contains(u".") || pathItems.contains(u".."))
{
throw BadRequestHTTPError();
}
const QString path = (request().path != u"/")
? request().path