From 21ea69edb0cbd9e8c1cedf8a13bf5672403fd769 Mon Sep 17 00:00:00 2001
From: reyk <reyk@openbsd.org>
Date: Wed, 23 Jul 2014 22:18:57 +0000
Subject: [PATCH] Don't expose the docroot on error.

---
 usr.sbin/httpd/server_file.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/usr.sbin/httpd/server_file.c b/usr.sbin/httpd/server_file.c
index 8a818db84de..7c2ecf1f613 100644
--- a/usr.sbin/httpd/server_file.c
+++ b/usr.sbin/httpd/server_file.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: server_file.c,v 1.8 2014/07/23 21:43:12 reyk Exp $	*/
+/*	$OpenBSD: server_file.c,v 1.9 2014/07/23 22:18:57 reyk Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -99,6 +99,10 @@ server_file_access(struct http_descriptor *desc, char *path, size_t len,
 	return (0);
 
  fail:
+	/* Remove the document root */
+	if (len && canonicalize_path(NULL, desc->http_path, path, len) == NULL)
+		return (500);
+
 	switch (errno) {
 	case ENOENT:
 		return (404);
-- 
2.20.1