truh/http.sh
1
0
Fork 0
mirror of https://git.sakamoto.pl/laudom/http.sh.git synced 2025-09-18 07:53:44 +02:00
Code Issues Projects Releases Wiki Activity
182 commits 4 branches 5 tags 629 KiB
Commit graph

182 commits

This branch
This branch
All branches
Author SHA1 Message Date
sdomi
5ee00c6ead server: fix directory traversal 
In select cases, if the attacker asked for an URL not starting with a slash (/),
a directory traversal bug could have been triggered. The attack is limited to
directories within `${cfg[namespace]}` (default: `app`) which begin with
`${cfg[root]}` (default: `webroot`).

This means that an adversary could traverse to `app/webroot*`. We never
encouraged / suggested keeping multiple webroots in one namespace, thus it's
doubtful whether any HTTP.sh deployment met the criteria.
 2024-12-01 22:52:11 +01:00
sdomi
403ef2b4ee server: normalize a few other things 2024-12-01 22:51:56 +01:00
sdomi
c943b7897e template: prevent expansion on keys (which shouldn't happen anyways) 2024-12-01 22:39:30 +01:00
sdomi
3d8dd9879e server: url_decode all GET params, (we don't care about binary data there) 2024-10-22 16:33:02 +01:00
sdomi
126de1e396 main: fix edge case with cloned app repo 2024-10-11 20:41:37 +02:00
sdomi
da54143a3f server: remove PHP/Python execution handlers, to be replaced with CGI 2024-10-07 18:09:17 +02:00
sdomi
951517b30d *: better versioning, split off various resources into .resources/ 2024-10-07 17:58:15 +02:00
sdomi
56d2af2cd8 tests: more header parsing tests 2024-10-05 04:36:03 +02:00
sdomi
3c8f848a9a proxy: remove 
While a proxy function is useful, this implementation was unsalvageable.
 2024-10-05 03:17:39 +02:00
famfo
510c372f1d server: add support for getting IP address behind a proxy 2024-10-05 03:05:16 +02:00
famfo
2cc067fc93 server: simplify header parsing code 2024-10-05 03:05:09 +02:00
famfo
a1323dc07e Test: fix bash path 2024-10-05 03:04:11 +02:00
TheresNoTime
9adbf34fce Add xxd as a required dependency 2024-09-26 23:18:24 +02:00
famfo
b4ea5954ec
 		mime: fix ico/favicon.ico mimetype 2024-09-26 14:04:19 +02:00
sdomi
2fd62dbbba server: fixup non-urlencoded post_data parsing 2024-09-06 00:50:47 +02:00
sdomi
fb8ae0eabc notORM: fix erroneous row return on no match 2024-09-03 22:56:34 +02:00
sdomi
cd0fe42879 cookie: add Path attribute 2024-08-18 00:05:58 +02:00
sdomi
d8a475e11b notORM, account: revert previous fix and employ a workaround for a bash bug 2024-08-17 23:10:10 +02:00
sdomi
11828198ce account: fix bug with empty fields getting omitted 2024-08-17 22:36:47 +02:00
sdomi
12011e5991 notORM: fix not enough delims 2024-08-17 22:30:07 +02:00
sdomi
4b9d4a5fda notORM: fix spurious $delim 2024-08-17 21:57:17 +02:00
sdomi
3db39c4948 notORM: fix typo 2024-08-17 21:35:57 +02:00
sdomi
23de1448e0 worker: setup the runtime 2024-08-17 21:28:23 +02:00
sdomi
11d3c0a899 notORM: replace some tr calls with bashisms 2024-08-17 21:27:32 +02:00
sdomi
1059be1618 server: fixup the parameter and cookie parsing 2024-08-17 05:14:53 +02:00
sdomi
4728b1651f server: rewrite slow sed calls into fast(er) bashisms 2024-08-17 04:51:17 +02:00
sdomi
5fc46f0f53 misc: improve url_decode 2024-08-17 04:14:06 +02:00
sdomi
6a22be0b4d server: fix parameter parsing on very long chains (in GET) 2024-08-17 02:55:54 +02:00
sdomi
dabd8bdb0c main: interactive shell mode 2024-08-17 02:33:49 +02:00
sdomi
69751adc52 server: fix parameter parsing on very long chains 2024-08-15 23:44:49 +02:00
sdomi
691ff46e75 response: fixup the HTTP response code if it got emptied by downstream 2024-08-15 19:50:15 +02:00
sdomi
fb247a6092 server: try to drop invalid connections 2024-08-15 19:45:56 +02:00
sdomi
62fb5556f4 notORM: iter now returns 255 on loop break 2024-08-11 21:58:34 +02:00
sdomi
ef933dd603 account: more checks 2024-08-11 18:39:54 +02:00
sdomi
c595acf6b9 router: more bashisms, less subshells 2024-08-11 03:02:14 +02:00
sdomi
8c29f4ad4e notORM: change iter failure state from 1 to 255 to prevent spontaneous fatals 2024-08-11 02:17:11 +02:00
sdomi
9a8f1dc2e4 response: migrate from printf to 'echo' and 'echo -e' (to prevent % injections) 2024-08-11 01:07:19 +02:00
sdomi
0f6233bbd3 core: better debuggier output, somewhat 2024-08-11 00:39:17 +02:00
sdomi
30c494c8e9 notORM: break out of data_iter after first failure 2024-08-10 23:24:04 +02:00
sdomi
b38860ec9c tests: alignn tst.sh with the docs 2024-08-07 00:02:31 +02:00
sdomi
5425a8ff14 misc: fix url_encode inconsistencies 2024-08-07 00:02:03 +02:00
sdomi
d6f46b949d tests: add match_not; add html/url encode tests 2024-08-06 23:42:44 +02:00
sdomi
358a8737ab tests: basic template tests 2024-08-06 22:50:57 +02:00
sdomi
46530b9f17 docs: quick start 2024-08-05 19:17:45 +02:00
sdomi
1c48d95d41 docs: wrote some info about tst.sh 2024-08-05 18:13:03 +02:00
sdomi
332c256d6c tests: crude testing framework 2024-08-04 21:37:51 +02:00
sdomi
5b8d492898 account: remember me flag 2024-08-04 01:59:21 +02:00
sdomi
93d02b4295 account: more middleware functions 2024-08-04 01:33:10 +02:00
sdomi
f16005fa0b notORM: fix the repeat function 2024-08-04 00:20:25 +02:00
sdomi
5ef931ca9d account: finally, proper sessions 2024-08-04 00:19:47 +02:00