… | |
… | |
424 | sub map_uri { |
424 | sub map_uri { |
425 | my $self = shift; |
425 | my $self = shift; |
426 | my $host = $self->{server_name}; |
426 | my $host = $self->{server_name}; |
427 | my $uri = $self->{uri}; |
427 | my $uri = $self->{uri}; |
428 | |
428 | |
|
|
429 | $host =~ /[\/\\]/ |
|
|
430 | and $self->err(400, "bad request"); |
|
|
431 | |
429 | # some massaging, also makes it more secure |
432 | # some massaging, also makes it more secure |
430 | $uri =~ s/%([0-9a-fA-F][0-9a-fA-F])/chr hex $1/ge; |
433 | $uri =~ s/%([0-9a-fA-F][0-9a-fA-F])/chr hex $1/ge; |
431 | $uri =~ s%//+%/%g; |
434 | $uri =~ s%//+%/%g; |
432 | $uri =~ s%/\.(?=/|$)%%g; |
435 | $uri =~ s%/\.(?=/|$)%%g; |
433 | 1 while $uri =~ s%/[^/]+/\.\.(?=/|$)%%; |
436 | 1 while $uri =~ s%/[^/]+/\.\.(?=/|$)%%; |