Fix directory traversal bug

CHANGES

@@ -1,3 +1,6 @@
+4.0:
+	Fix directory traversal vulnerability (fuzzie)
+
 3.1:
 	Add -. flag to disable vhosting
 	Support server push CGI

eris.c

@@ -576,11 +576,6 @@ handle_request()
 					case '?':
 						query_string = p + 1;
 						continue;
-                    case '.':
-                        if (p[-1] == '/') {
-                            c = ':';
-                        }
-                        break;
 					case '%':
 						if (p[1] && p[2]) {
 							int a = fromhex(p[1]);
@@ -601,6 +596,12 @@ handle_request()
 		}
 		*fsp = 0;
 
+		/* Change "/." to "/:" to keep "hidden" files such and prevent directory traversal */
+		while ((fsp = strstr(fspath, "/."))) {
+			*(fsp+1) = ':';
+		}
+
+
 		*(p++) = 0;		 /* NULL-terminate path */
 
 		if (docgi && query_string) {

test.sh

@@ -150,6 +150,12 @@ title "Too many headers"
  done
  printf '\r\n') | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 431 ' && pass || fail
  
+ title "Directory traversal"
+ printf 'GET /../default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
+ 
+ title "Escaped directory traversal"
+ printf 'GET /%%2e%%2e/default/index.html HTTP/1.0\r\n\r\n' | $HTTPD 2>/dev/null | grep -q 'HTTP/1.. 404' && pass || fail
+
 
 H "If-Modified-Since"