… | |
… | |
424 | sub map_uri { |
424 | sub map_uri { |
425 | my $self = shift; |
425 | my $self = shift; |
426 | my $host = $self->{server_name}; |
426 | my $host = $self->{server_name}; |
427 | my $uri = $self->{uri}; |
427 | my $uri = $self->{uri}; |
428 | |
428 | |
|
|
429 | $host =~ /[\/\\]/ |
|
|
430 | and $self->err(400, "bad request"); |
|
|
431 | |
429 | # some massaging, also makes it more secure |
432 | # some massaging, also makes it more secure |
430 | $uri =~ s/%([0-9a-fA-F][0-9a-fA-F])/chr hex $1/ge; |
433 | $uri =~ s/%([0-9a-fA-F][0-9a-fA-F])/chr hex $1/ge; |
431 | $uri =~ s%//+%/%g; |
434 | $uri =~ s%//+%/%g; |
432 | $uri =~ s%/\.(?=/|$)%%g; |
435 | $uri =~ s%/\.(?=/|$)%%g; |
433 | 1 while $uri =~ s%/[^/]+/\.\.(?=/|$)%%; |
436 | 1 while $uri =~ s%/[^/]+/\.\.(?=/|$)%%; |
… | |
… | |
552 | }; |
555 | }; |
553 | |
556 | |
554 | my @code = (200, "ok"); |
557 | my @code = (200, "ok"); |
555 | my ($l, $h); |
558 | my ($l, $h); |
556 | |
559 | |
557 | if ($self->{h}{range} =~ /^bytes=(.*)$/) { |
560 | if ($self->{h}{range} =~ /^bytes=(.*)$/i) { |
558 | for (split /,/, $1) { |
561 | for (split /,/, $1) { |
559 | if (/^-(\d+)$/) { |
562 | if (/^-(\d+)$/) { |
560 | ($l, $h) = ($length - $1, $length - 1); |
563 | ($l, $h) = ($length - $1, $length - 1); |
561 | } elsif (/^(\d+)-(\d*)$/) { |
564 | } elsif (/^(\d+)-(\d*)$/) { |
562 | ($l, $h) = ($1, ($2 ne "" || $2 >= $length) ? $2 : $length - 1); |
565 | ($l, $h) = ($1, ($2 ne "" || $2 >= $length) ? $2 : $length - 1); |