riley/proxima
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix potential security issue with building redirection target uri

Browse source
This commit is contained in:
Riley Apeldoorn 2022-07-21 14:36:30 +02:00
parent 8f4b9944e7
commit 06bf4d9afb
1 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/main.rs
View file

@ -208,8 +208,18 @@ impl Effect {
match self { match self {
Effect::Proxy { port, .. } => { Effect::Proxy { port, .. } => {
let host = "0.0.0.0"; // Support for custom hosts added later let host = "0.0.0.0"; // Support for custom hosts added later
let path = req.uri().path_and_query().map(|x| x.as_str()).unwrap_or(""); let path = req
let target = format!("http://{host}:{port}{path}"); .uri()
.path_and_query()
.and_then(|x| {
// Reject all requests where the path doesn't start with a `/`,
// and strip the first `/` off all paths so we can ensure that
// the path is actually separated from the host and port.
x.as_str().strip_prefix('/')
})
.unwrap_or("");
let target = format!("http://{host}:{port}/{path}");
let uri = target.parse().unwrap(); let uri = target.parse().unwrap();
*req.uri_mut() = uri; *req.uri_mut() = uri;