uri processing reject paths not starting with slash

https://github.com/warmcat/libwebsockets/issues/481

Return 403 Forbidden if we don't end up with a uri path starting with /

Test server already did this, but this makes it built into the
library.

Signed-off-by: Andy Green <andy@warmcat.com>

diff --git a/lib/server.c b/lib/server.c
index 0b6e4c1f1baba8563fb0c56b46fc84bbb510a918..59e664f9374691eb7547e9fdb7d9ef96d6572c33 100644 (file)
--- a/lib/server.c
+++ b/lib/server.c
@@ -243,6 +243,14 @@ lws_http_action(struct lws *wsi)
                        break;
                }
 
+       /* we insist on absolute paths */
+
+       if (uri_ptr[0] != '/') {
+               lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
+
+               goto bail_nuke_ah;
+       }
+
        /* HTTP header had a content length? */
 
        wsi->u.http.content_length = 0;