vndb/fu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

FU: Reject some invalid characters in path

Browse source
This commit is contained in:
Yorhel 2025-05-09 08:32:41 +02:00
parent 52c36e0aea
commit 6c54ee3091
2 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
FU.pm
View file

@ -313,10 +313,12 @@ sub _read_req($c) {
# Decode these into Unicode strings and check for special characters. # Decode these into Unicode strings and check for special characters.
eval { FU::Util::utf8_decode($_); 1} || fu->error(400, $@) eval { FU::Util::utf8_decode($_); 1} || fu->error(400, $@)
for ($REQ->{path}, $REQ->{qs}, values $REQ->{hdr}->%*); for ($REQ->{path}, $REQ->{qs}, values $REQ->{hdr}->%*);
fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /#/; # Some bots don't correctly split off the fragment
($REQ->{path}, my $qs) = split /\?/, $REQ->{path}//'', 2; ($REQ->{path}, my $qs) = split /\?/, $REQ->{path}//'', 2;
$REQ->{qs} //= $qs; $REQ->{qs} //= $qs;
eval { $REQ->{path} = FU::Util::uri_unescape($REQ->{path}); 1; } || fu->error(400, $@); eval { $REQ->{path} = FU::Util::uri_unescape($REQ->{path}); 1; } || fu->error(400, $@);
fu->error(400, 'Invalid character in path') if $REQ->{path} =~ /[\r\n\t]/; # There are plenty other questionable characters, but newlines and tabs are definitely out
} }

2
FU/Util.pm
View file

@ -20,7 +20,7 @@ our @EXPORT_OK = qw/
sub utf8_decode :prototype($) { sub utf8_decode :prototype($) {
return if !defined $_[0]; return if !defined $_[0];
confess 'Invalid UTF-8' if !utf8::decode($_[0]); confess 'Invalid UTF-8' if !utf8::decode($_[0]);
confess 'Invalid control character' if $_[0] =~ /[\x00-\x08\x0b\x0c\x0e-\x1f]/; confess 'Invalid control character' if $_[0] =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f]/;
$_[0] $_[0]
} }