From d2e1b116fc3960cc95c4c2012047802379d6911c Mon Sep 17 00:00:00 2001
From: Jakob Kaivo <jkk@ung.org>
Date: Thu, 18 Jul 2019 18:29:52 -0400
Subject: safe path names

---
 blog.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'blog.c')

diff --git a/blog.c b/blog.c
index 950ad5e..bcb0419 100644
--- a/blog.c
+++ b/blog.c
@@ -1,4 +1,5 @@
 #define _XOPEN_SOURCE 700
+#include <ctype.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -20,7 +21,7 @@
 
 #define HTML_HEAD DOCTYPE HTML META TITLE ICON STYLE BODY
 
-#define HTML_TAIL "</body>\n</html>\n"
+#define HTML_TAIL "\n</body>\n</html>\n"
 
 int handle_post(void)
 {
@@ -58,7 +59,11 @@ int handle_post(void)
 
 	char *title = find_post_data("title");
 	char uri[FILENAME_MAX] = { 0 };
-	snprintf(uri, sizeof(uri), "%s/%s", ymd, title);
+	char *end = stpcpy(uri, ymd);
+	*end++ = '/';
+	for (char *f = title; *f != '\0'; f++) {
+		*end++ = isalnum(*f) ? *f : '-';
+	}
 
 	int newpost = openat(blogdir, uri, O_WRONLY | O_CREAT, 0644);
 	if (newpost == -1) {
-- 
cgit v1.2.1