1 files changed, 11 insertions, 3 deletions

diff --git a/plugins/static-files/static-files.cpp b/plugins/static-files/static-files.cpp
index 3f1c63a..345cf56 100644
--- a/plugins/static-files/static-files.cpp
+++ b/plugins/static-files/static-files.cpp
@@ -76,9 +76,17 @@ std::string static_files_plugin::generate_page(
   if (method != "GET" && method != "HEAD")
    return HttpStatus("400", "Unknown HTTP method", SetResponseHeader);
 
-  // Request path must not contain "..".
-  std::string rel_target{GetRequestParam("rel_target")};
   std::string target{GetRequestParam("target")};
+  size_t pos{target.find('?')};
+  if (pos != target.npos)
+   target = target.substr(0, pos);
+
+  std::string rel_target{GetRequestParam("rel_target")};
+  pos = rel_target.find('?');
+  if (pos != rel_target.npos)
+   rel_target = rel_target.substr(0, pos);
+  
+  // Request path must not contain "..".
   if (rel_target.find("..") != std::string::npos) {
    return HttpStatus("400", "Illegal request: "s + target, SetResponseHeader);
   }
@@ -97,7 +105,7 @@ std::string static_files_plugin::generate_page(
   try {
    return getFile(path);
   } catch (const std::runtime_error& ex) {
-   return HttpStatus("404", "Not found: "s + GetRequestParam("target"), SetResponseHeader);
+   return HttpStatus("404", "Not found: "s + target, SetResponseHeader);
   } catch (const std::exception& ex) {
    return HttpStatus("500", "Internal Server Error: "s + ex.what(), SetResponseHeader);
   }