FU: Reject some invalid characters in path
This commit is contained in:
Yorhel
parent
52c36e0aea
commit
6c54ee3091
2 changed files with 3 additions and 1 deletions
2
FU.pm
2
FU.pm
|
|
@ -313,10 +313,12 @@ sub _read_req($c) {
|
|||
# Decode these into Unicode strings and check for special characters.
|
||||
eval { FU::Util::utf8_decode($_); 1} || fu->error(400, $@)
|
||||
for ($REQ->{path}, $REQ->{qs}, values $REQ->{hdr}->%*);
|
||||
fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /#/; # Some bots don't correctly split off the fragment
|
||||
|
||||
($REQ->{path}, my $qs) = split /\?/, $REQ->{path}//'', 2;
|
||||
$REQ->{qs} //= $qs;
|
||||
eval { $REQ->{path} = FU::Util::uri_unescape($REQ->{path}); 1; } || fu->error(400, $@);
|
||||
fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /[\r\n\t]/; # There are plenty other questionable characters, but newlines and tabs are definitely out
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue