commit a6cc1d6108a82131473fe295ca785f98eb140388 Author: David Fifield <david@bamsoftware.com> Date: Mon Sep 10 21:03:51 2012 -0700 Check PATH info for a path of /. --- facilitator/facilitator.cgi | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/facilitator/facilitator.cgi b/facilitator/facilitator.cgi index 39566d3..6ccb479 100755 --- a/facilitator/facilitator.cgi +++ b/facilitator/facilitator.cgi @@ -2,6 +2,7 @@ import cgi import os +import os.path import socket import sys import urllib @@ -68,14 +69,19 @@ def get_reg(proxy_addr): exit_error(500) method = os.environ.get("REQUEST_METHOD") +path_info = os.environ.get("PATH_INFO") proxy_addr = (os.environ.get("REMOTE_ADDR"), None) -if not method or not proxy_addr[0]: +if not method or not path_info or not proxy_addr[0]: exit_error(400) +path = os.path.normpath(path_info) + fs = cgi.FieldStorage() def do_get(): + if path != "/": + exit_error(400) try: reg = get_reg(proxy_addr) or "" except: @@ -90,6 +96,8 @@ Access-Control-Allow-Origin: *\r sys.stdout.write(urllib.urlencode(reg)) def do_post(): + if path != "/": + exit_error(400) client_specs = fs.getlist("client") if len(client_specs) != 1: exit_error(400)