From daa04f5db942d293c3d269405421617137ef0d4c Mon Sep 17 00:00:00 2001
From: orbiter <orbiter@6c8d7289-2bf4-0310-a012-ef5d649a1542>
Date: Fri, 4 Apr 2008 12:15:27 +0000
Subject: [PATCH] added additional check in file handler to prevent that url
 attacks are hidden in url path encodings

git-svn-id: https://svn.berlios.de/svnroot/repos/yacy/trunk@4637 6c8d7289-2bf4-0310-a012-ef5d649a1542
---
 source/de/anomic/http/httpdFileHandler.java | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/source/de/anomic/http/httpdFileHandler.java b/source/de/anomic/http/httpdFileHandler.java
index 3211722f1..b570f8b45 100644
--- a/source/de/anomic/http/httpdFileHandler.java
+++ b/source/de/anomic/http/httpdFileHandler.java
@@ -296,6 +296,12 @@ public final class httpdFileHandler {
                 assert(false) : "UnsupportedEncodingException: " + e.getMessage();
             }
             
+            // check again hack attacks in path
+            if (path.indexOf("..") >= 0) {
+                httpd.sendRespondError(conProp,out,4,403,null,"Access not allowed",null);
+                return;
+            }
+            
             // check permission/granted access
             String authorization = (String) requestHeader.get(httpHeader.AUTHORIZATION);
             String adminAccountBase64MD5 = switchboard.getConfig(httpd.ADMIN_ACCOUNT_B64MD5, "");