From f5ae94639bad542e6ae2b57495cb975bd8feb45e Mon Sep 17 00:00:00 2001
From: Floris Bos <bos@je-eigen-domein.nl>
Date: Sun, 29 Mar 2015 21:02:25 +0200
Subject: [PATCH] httpd: disallow directory traversal

Signed-off-by: Floris Bos <bos@je-eigen-domein.nl>
---
 libvncserver/httpd.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libvncserver/httpd.c b/libvncserver/httpd.c
index 12d71a8..2a778e7 100644
--- a/libvncserver/httpd.c
+++ b/libvncserver/httpd.c
@@ -423,6 +423,14 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
        }
     }
 
+    /* Basic protection against directory traversal outside webroot */
+
+    if (strstr(fname, "..")) {
+        rfbErr("httpd: URL should not contain '..'\n");
+        rfbWriteExact(&cl, NOT_FOUND_STR, strlen(NOT_FOUND_STR));
+        httpCloseSock(rfbScreen);
+        return;
+    }
 
     /* If we were asked for '/', actually read the file index.vnc */