From 439ad21b121afd942fa6fa6bacf109e2310367d0 Mon Sep 17 00:00:00 2001
From: Paul Kulchenko <paul@kulchenko.com>
Date: Wed, 20 Jul 2022 23:26:49 -0700
Subject: [PATCH] Allow .well-known/ hidden paths (#499)

---
 net/http/isacceptablepath.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/http/isacceptablepath.c b/net/http/isacceptablepath.c
index fa155ce20..e1abffb39 100644
--- a/net/http/isacceptablepath.c
+++ b/net/http/isacceptablepath.c
@@ -26,6 +26,7 @@
  *
  * 1. The substring "//" is disallowed.
  * 2. We won't serve hidden files (segment starts with '.').
+ *    The only exception is `/.well-known/`.
  * 3. We won't serve paths with segments equal to "." or "..".
  *
  * It is assumed that the URI parser already took care of percent
@@ -66,7 +67,10 @@ bool IsAcceptablePath(const char *data, size_t size) {
       x = '/';
     }
     if (y == '/') {
-      if (x == '.') return false;
+      if (x == '.' &&  // allow /.well-known/ in the first position
+         (p - data > 2 ||
+          size < 13 ||
+          memcmp(data, "/.well-known/", 13) != 0)) return false;
       if (x == '/' && t) return false;
     }
     y = x;