From a1027d4499cfad752d6c449b407bb1f8dc4e16d2 Mon Sep 17 00:00:00 2001 From: ulrich Date: Mon, 04 Nov 2024 12:29:52 +0000 Subject: [PATCH] inspectFileName angepasst --- src/de/uhilger/neon/HttpHelper.java | 81 +++++++++++++++------------------------- 1 files changed, 30 insertions(+), 51 deletions(-) diff --git a/src/de/uhilger/neon/HttpHelper.java b/src/de/uhilger/neon/HttpHelper.java index 05dcba8..c2485d8 100644 --- a/src/de/uhilger/neon/HttpHelper.java +++ b/src/de/uhilger/neon/HttpHelper.java @@ -55,11 +55,23 @@ * @param e das Objekt mit Methoden zur Untersuchung der Anfrage sowie zum * Anfertigen und Senden der Antwort * @return Name der gewünschten Datei + * @throws IllegalArgumentException wenn der Dateiname ungueltige Zeichen + * enthaelt, z.B. ../ */ - public String getFileName(HttpExchange e) { + public String getFileName(HttpExchange e) throws IllegalArgumentException { String ctxPath = e.getHttpContext().getPath(); String uriPath = e.getRequestURI().getPath(); - return uriPath.substring(ctxPath.length()); + return inspectFileName(uriPath.substring(ctxPath.length())); + } + + public String inspectFileName(String fileName) throws IllegalArgumentException { + if (fileName == null + || fileName.contains("..")) { + //|| fileName.contains("/") + //|| fileName.contains("\\")) { + throw new IllegalArgumentException("Invalid file name"); + } + return fileName; } public String bodyLesen(HttpExchange exchange) throws IOException { @@ -73,15 +85,6 @@ } return sb.toString(); } - - /*public String getAttrStr(Map attributes, String key, String defaultValue) { - Object value = attributes.get(key); - if(value instanceof String) { - return value.toString(); - } else { - return defaultValue; - } - } */ public Map<String, String> getQueryMap(HttpExchange exchange) { if(exchange.getRequestMethod().equalsIgnoreCase("GET")) { @@ -97,23 +100,23 @@ public Map<String, String> getQueryMap(String query) { Map<String, String> map = new HashMap<>(); - if(query instanceof String) { - String[] params = query.split(STR_AMP); - for (String param : params) { - String name = param.split(STR_EQUAL)[0]; - String value = param.split(STR_EQUAL)[1]; - map.put(name, value); - } - } else { - // map bleibt leer + try { + if(query instanceof String) { + String[] params = query.split(STR_AMP); + for (String param : params) { + String name = param.split(STR_EQUAL)[0]; + String value = param.split(STR_EQUAL)[1]; + map.put(name, value); + } + } else { + // map bleibt leer + } + } catch(Exception ex) { + + } finally { + return map; } - return map; } - - /*public String getRouteString(HttpExchange exchange) { - return exchange.getRequestURI().getPath() - .substring(exchange.getHttpContext().getPath().length()); - }*/ public String getRouteString(HttpExchange exchange) { return getFileName(exchange); @@ -121,29 +124,5 @@ public List<String> getRouteList(String routeString) { return Arrays.asList(routeString.split("/")); - } - - /* - public File tryWelcomeFiles(HttpExchange e, String fName) { - boolean notFound = true; - File file = null; - String fileBase = e.getHttpContext().getAttributes().get(FileHandler.ATTR_FILE_BASE).toString(); - Object welcomeFiles = e.getHttpContext().getAttributes().get(FileHandler.ATTR_WELCOME_FILES); - if(welcomeFiles instanceof String) { - String[] fileNames = welcomeFiles.toString().split(FileHandler.STR_COMMA); - int i = -1; - while(notFound && ++i < fileNames.length) { - file = new File(fileBase, fName + fileNames[i]); - if(file.exists()) { - notFound = false; - } - } - } - if(notFound) { - file = new File(fileBase, fName + FileHandler.WELCOME_FILE); - } - return file; - } - */ - + } } -- Gitblit v1.9.3