* HTTP Proxy: Limit proxy.i2p to /themes/ directory

59105a9a · zzz · abc23e9a · 59105a9a
Commit 59105a9a authored 15 years ago by zzz
--- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java
+++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java
@@ -811,11 +811,14 @@ public class I2PTunnelHTTPClient extends I2PTunnelClientBase implements Runnable
     *  but inproxy/gateway ops would be wise to block proxy.i2p to prevent
     *  exposing the docs/ directory or perhaps other issues through
     *  uncaught vulnerabilities.
+     *  Restrict to the /themes/ directory for now.
     *
-     *  @param targetRequest "proxy.i2p/foo.png HTTP/1.1"
+     *  @param targetRequest "proxy.i2p/themes/foo.png HTTP/1.1"
     */
    private static void serveLocalFile(OutputStream out, String method, String targetRequest) {
-        if (method.equals("GET") || method.equals("HEAD")) {
+        if ((method.equals("GET") || method.equals("HEAD")) &&
+            targetRequest.startsWith("proxy.i2p/themes/") &&
+            !targetRequest.contains("..")) {
            int space = targetRequest.indexOf(' ');
            String filename = null;
            try {