From 2133fd579e0d4726b032288d10d053231109c586 Mon Sep 17 00:00:00 2001
From: Jon Bergli Heier <snakebite@jvnv.net>
Date: Wed, 29 Dec 2010 22:00:50 +0100
Subject: Don't allow requests with /../ in the path.

---
 music.cpp | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'music.cpp')

diff --git a/music.cpp b/music.cpp
index 2c3b788..9b840bb 100644
--- a/music.cpp
+++ b/music.cpp
@@ -22,6 +22,11 @@ MusicListing::p get(const std::string path) {
 	// prefix path with our root_directory
 	fs::path p = root_directory / path;
 
+	// don't allow requests with /../ in the path
+	if(path.find("/../") != std::string::npos) {
+		return MusicListing::p();
+	}
+
 	if(fs::is_directory(p)) {
 		boost::shared_ptr<MusicListing> ml(new MusicDirectory(p));
 		return ml;
-- 
cgit v1.2.3