diff --git a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java index ce63e5359f000d67a1f08ad91c022a592b11776b..f450682cd0731051e06ffa6ed247a34f5e66b82b 100644 --- a/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java +++ b/apps/i2ptunnel/java/src/net/i2p/i2ptunnel/I2PTunnelHTTPClient.java @@ -811,11 +811,14 @@ public class I2PTunnelHTTPClient extends I2PTunnelClientBase implements Runnable * but inproxy/gateway ops would be wise to block proxy.i2p to prevent * exposing the docs/ directory or perhaps other issues through * uncaught vulnerabilities. + * Restrict to the /themes/ directory for now. * - * @param targetRequest "proxy.i2p/foo.png HTTP/1.1" + * @param targetRequest "proxy.i2p/themes/foo.png HTTP/1.1" */ private static void serveLocalFile(OutputStream out, String method, String targetRequest) { - if (method.equals("GET") || method.equals("HEAD")) { + if ((method.equals("GET") || method.equals("HEAD")) && + targetRequest.startsWith("proxy.i2p/themes/") && + !targetRequest.contains("..")) { int space = targetRequest.indexOf(' '); String filename = null; try {