From 6c54ee30911bb26dfd1fd0538cd5bd1d1280ac0f Mon Sep 17 00:00:00 2001
From: Yorhel <git@yorhel.nl>
Date: Fri, 9 May 2025 08:32:41 +0200
Subject: [PATCH] FU: Reject some invalid characters in path

---
 FU.pm      | 2 ++
 FU/Util.pm | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/FU.pm b/FU.pm
index f81be88..1a826e1 100644
--- a/FU.pm
+++ b/FU.pm
@@ -313,10 +313,12 @@ sub _read_req($c) {
     # Decode these into Unicode strings and check for special characters.
     eval { FU::Util::utf8_decode($_); 1} || fu->error(400, $@)
         for ($REQ->{path}, $REQ->{qs}, values $REQ->{hdr}->%*);
+    fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /#/; # Some bots don't correctly split off the fragment
 
     ($REQ->{path}, my $qs) = split /\?/, $REQ->{path}//'', 2;
     $REQ->{qs} //= $qs;
     eval { $REQ->{path} = FU::Util::uri_unescape($REQ->{path}); 1; } || fu->error(400, $@);
+    fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /[\r\n\t]/; # There are plenty other questionable characters, but newlines and tabs are definitely out
 }
 
 
diff --git a/FU/Util.pm b/FU/Util.pm
index 7d585d9..18db781 100644
--- a/FU/Util.pm
+++ b/FU/Util.pm
@@ -20,7 +20,7 @@ our @EXPORT_OK = qw/
 sub utf8_decode :prototype($) {
     return if !defined $_[0];
     confess 'Invalid UTF-8' if !utf8::decode($_[0]);
-    confess 'Invalid control character' if $_[0] =~ /[\x00-\x08\x0b\x0c\x0e-\x1f]/;
+    confess 'Invalid control character' if $_[0] =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
     $_[0]
 }