diff --git a/include/crow/http_response.h b/include/crow/http_response.h index 9862a6a41..473acb611 100644 --- a/include/crow/http_response.h +++ b/include/crow/http_response.h @@ -223,10 +223,16 @@ namespace crow int statResult; }; - ///Return a static file as the response body + /// Return a static file as the response body void set_static_file_info(std::string path) { utility::sanitize_filename(path); + set_static_file_info_unsafe(path); + } + + /// Return a static file as the response body without sanitizing the path (use set_static_file_info instead) + void set_static_file_info_unsafe(std::string path) + { file_info.path = path; file_info.statResult = stat(file_info.path.c_str(), &file_info.statbuf); #ifdef CROW_ENABLE_COMPRESSION @@ -252,6 +258,7 @@ namespace crow else { code = 404; + file_info.path.clear(); this->end(); } } diff --git a/include/crow/json.h b/include/crow/json.h index 1c4e9d6b7..88d681add 100644 --- a/include/crow/json.h +++ b/include/crow/json.h @@ -16,9 +16,11 @@ #include #include #include +#include #include "crow/settings.h" #include "crow/returnable.h" +#include "crow/logging.h" #if defined(__GNUG__) || defined(__clang__) #define crow_json_likely(x) __builtin_expect(x, 1) @@ -1772,6 +1774,12 @@ namespace crow { if (v.nt == num_type::Floating_point) { + if (isnan(v.num.d) || isinf(v.num.d)) + { + out += "null"; + CROW_LOG_WARNING << "Invalid JSON value detected (" << v.num.d << "), value set to null"; + break; + } #ifdef _MSC_VER #define MSC_COMPATIBLE_SPRINTF(BUFFER_PTR, FORMAT_PTR, VALUE) sprintf_s((BUFFER_PTR), 128, (FORMAT_PTR), (VALUE)) #else diff --git a/include/crow/mustache.h b/include/crow/mustache.h index b660c87fc..866d8dc6c 100644 --- a/include/crow/mustache.h +++ b/include/crow/mustache.h @@ -146,8 +146,8 @@ namespace crow case '"': out += """; break; case '\'': out += "'"; break; case '/': out += "/"; break; - case '`': out += "`"; break; - case '=': out += "="; break; + case '`': out += "`"; break; + case '=': out += "="; break; default: out += *it; break; } } @@ -631,6 +631,13 @@ namespace crow } inline std::string load_text(const std::string& filename) + { + std::string filename_sanitized(filename); + utility::sanitize_filename(filename_sanitized); + return detail::get_loader_ref()(filename_sanitized); + } + + inline std::string load_text_unsafe(const std::string& filename) { return detail::get_loader_ref()(filename); } @@ -641,5 +648,10 @@ namespace crow utility::sanitize_filename(filename_sanitized); return compile(detail::get_loader_ref()(filename_sanitized)); } + + inline template_t load_unsafe(const std::string& filename) + { + return compile(detail::get_loader_ref()(filename)); + } } // namespace mustache } // namespace crow diff --git a/include/crow/utility.h b/include/crow/utility.h index fc1462b4f..460f89750 100644 --- a/include/crow/utility.h +++ b/include/crow/utility.h @@ -728,7 +728,15 @@ namespace crow } else if ((c == '/') || (c == '\\')) { - checkForSpecialEntries = true; + //TODO(EDev): uncomment below once #332 is merged + if (/*CROW_UNLIKELY(*/ i == 0 /*)*/) //Prevent Unix Absolute Paths (Windows Absolute Paths are prevented with `(c == ':')`) + { + data[i] = replacement; + } + else + { + checkForSpecialEntries = true; + } } } } diff --git a/tests/unittest.cpp b/tests/unittest.cpp index 3cd09774c..6dc3353eb 100644 --- a/tests/unittest.cpp +++ b/tests/unittest.cpp @@ -2541,6 +2541,7 @@ TEST_CASE("sanitize_filename") CHECK(sanitize_filename("abc/COM9") == "abc/_"); CHECK(sanitize_filename("abc/COM") == "abc/COM"); CHECK(sanitize_filename("abc/CON") == "abc/_"); + CHECK(sanitize_filename("/abc/") == "_abc/"); } TEST_CASE("get_port") diff --git a/vcpkg.json b/vcpkg.json index 4ed5030fa..1b678651a 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -31,7 +31,7 @@ "version>=": "1.70.0" }, { - "name": "openssl-windows" + "name": "openssl" }, { "name": "zlib"