From d8f8ed14a9ee1013bf579b4dcaacb73d49995aae Mon Sep 17 00:00:00 2001
From: sl <sl@stanleylieber.com>
Date: Sun, 21 Nov 2021 18:49:58 -0500
Subject: [PATCH] bin/contrib/rc-httpd{rc-httpd, handlers/error}: do some
 minimal sanitization on $SERVER_NAME before handing it off to select-handler.
 this prevents malformed Host: headers from retrieving arbitrary files from
 the file system. (thanks, Lightning)

---
 bin/contrib/rc-httpd/rc-httpd | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/bin/contrib/rc-httpd/rc-httpd b/bin/contrib/rc-httpd/rc-httpd
index 8e4fad9..864a8d0 100755
--- a/bin/contrib/rc-httpd/rc-httpd
+++ b/bin/contrib/rc-httpd/rc-httpd
@@ -86,6 +86,11 @@ if(~ $#SERVER_NAME 2){
 	SERVER_PORT=$SERVER_NAME(2)
 	SERVER_NAME=$SERVER_NAME(1)
 }
+switch($SERVER_NAME){
+	case */* ..
+		error 400
+		exit
+}
 if(~ $REQUEST_METHOD (PUT POST)){
 	if(! ~ $"CONTENT_LENGTH '')
 		trim_input | exec $rc_httpd_dir/select-handler