Previously, all hidden targets were rejected with 403, but /.well-known/
and its contents should be an exception.
---
http.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/http.c b/http.c
index 49b30dc..7f20c23 100644
--- a/http.c
+++ b/http.c
@@ -600,8 +600,10 @@ http_send_response(int fd, const struct request *req)
return http_send_status(fd, S_BAD_REQUEST);
}
- /* reject hidden target */
- if (realtarget[0] == '.' || strstr(realtarget, "/.")) {
+ /* reject hidden target, except for /.well-known/
+ * and its contents (see RFC 8615) */
+ if (realtarget[0] == '.' || (strstr(realtarget, "/.") &&
+ strstr(realtarget, "/.well-known/") != realtarget)) {
return http_send_status(fd, S_FORBIDDEN);
}
--
2.17.1
