mod_console: s2s:close: Use session:close() if that exists, otherwise just destroy...

[prosody.git] / plugins / mod_httpserver.lua

diff --git a/plugins/mod_httpserver.lua b/plugins/mod_httpserver.lua
index a863928148bf33407b80c0c7cd8f31638813a84e..73357f1be02526ea34c77500807a389eeba73900 100644 (file)
--- a/plugins/mod_httpserver.lua
+++ b/plugins/mod_httpserver.lua
@@ -11,14 +11,19 @@ local httpserver = require "net.httpserver";
 
 local open = io.open;
 local t_concat = table.concat;
+local check_http_path;
 
-local http_base = "www_files";
+local http_base = config.get("*", "core", "http_path") or "www_files";
 
+local response_403 = { status = "403 Forbidden", body = "<h1>Invalid URL</h1>Sorry, we couldn't find what you were looking for :(" };
 local response_404 = { status = "404 Not Found", body = "<h1>Page Not Found</h1>Sorry, we couldn't find what you were looking for :(" };
 
 local http_path = { http_base };
 local function handle_request(method, body, request)
-       local path = request.url.path:gsub("%.%.%/", ""):gsub("^/[^/]+", "");
+       local path = check_http_path(request.url.path:gsub("^/[^/]+%.*", ""));
+       if not path then
+               return response_403;
+       end
        http_path[2] = path;
        local f, err = open(t_concat(http_path), "r");
        if not f then return response_404; end
@@ -29,3 +34,22 @@ end
 
 local ports = config.get(module.host, "core", "http_ports") or { 5280 };
 httpserver.new_from_config(ports, "files", handle_request);
+
+function check_http_path(url)
+       if url:sub(1,1) ~= "/" then
+               url = "/"..url;
+       end
+       
+       local level = 0;
+       for part in url:gmatch("%/([^/]+)") do
+               if part == ".." then
+                       level = level - 1;
+               elseif part ~= "." then
+                       level = level + 1;
+               end
+               if level < 0 then
+                       return nil;
+               end
+       end
+       return url;
+end