Only allow GET and HEAD for static files or return 405.

ok florian@

diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c
index 19414ab..705bb9f 100644 (file)
--- a/usr.sbin/httpd/server_file.c
+++ b/usr.sbin/httpd/server_file.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: server_file.c,v 1.26 2014/08/03 22:38:12 reyk Exp $   */
+/*     $OpenBSD: server_file.c,v 1.27 2014/08/03 22:47:25 reyk Exp $   */
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -63,6 +63,15 @@ server_file_access(struct client *clt, char *path, size_t len,
 
        errno = 0;
 
+       switch (desc->http_method) {
+       case HTTP_METHOD_GET:
+       case HTTP_METHOD_HEAD:
+               break;
+       default:
+               /* Other methods are not allowed */
+               return (405);
+       }
+
        if (access(path, R_OK) == -1) {
                goto fail;
        } else if (stat(path, st) == -1) {