From b0cf8304cbe076ffadc966e03877e3a2246e65cc Mon Sep 17 00:00:00 2001
From: Alex Skalozub <pieceofsummer@gmail.com>
Date: Sat, 28 Jun 2014 23:14:21 +0400
Subject: [PATCH] Disallow WebDAV MKCOL/PUT/DELETE requests to protected files
 (like .htpasswd)

---
 mongoose.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/mongoose.c b/mongoose.c
index ef3e98b17..066e92432 100644
--- a/mongoose.c
+++ b/mongoose.c
@@ -4268,6 +4268,8 @@ static void open_local_endpoint(struct connection *conn, int skip_user) {
 #ifndef MONGOOSE_NO_DAV
   } else if (!strcmp(conn->mg_conn.request_method, "PROPFIND")) {
     handle_propfind(conn, path, &st, exists);
+  } else if (must_hide_file(conn, path)) {
+    send_http_error(conn, 404, NULL);
   } else if (!strcmp(conn->mg_conn.request_method, "MKCOL")) {
     handle_mkcol(conn, path);
   } else if (!strcmp(conn->mg_conn.request_method, "DELETE")) {
-- 
GitLab