From 394b86bca8e54bda60d5c2820101b47b4f538a97 Mon Sep 17 00:00:00 2001
From: aabacchus <ben@bvnf.space>
Date: Sat, 19 Mar 2022 14:49:44 +0000
Subject: [PATCH] remove any query_string before chdir

a query string could contain a '/' character, which would make vger try
to chdir to an incorrect directory. remove the query_string before this,
and before percent-decoding (in case there is an encoded '?'). This
should happen even if we are not doing cgi, because some clients might
send a query_string anyway, which should be ignored.
---
 main.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/main.c b/main.c
index b4f0707..687bc15 100644
--- a/main.c
+++ b/main.c
@@ -436,6 +436,16 @@ main(int argc, char **argv)
 		estrlcat(tmp, dir, sizeof(tmp));
 		estrlcpy(dir, tmp, sizeof(dir));
 	}
+
+	/* remove a query string before percent decoding */
+	/* look for "?" if any to set query for cgi, remove it */
+	pos = strchr(dir, '?');
+	if (pos != NULL) {
+		estrlcpy(query, pos + 1, sizeof(query));
+		uridecode(query);
+		pos[0] = '\0';
+	}
+
 	/* percent decode */
 	uridecode(dir);
 
@@ -479,13 +489,8 @@ main(int argc, char **argv)
 		esetenv("SERVER_PROTOCOL", "GEMINI", 1);
 		esetenv("SERVER_SOFTWARE", "vger/1", 1);
 
-		/* look for "?" if any to set query for cgi, remove it */
-		pos = strchr(file, '?');
-		if (pos != NULL) {
-			estrlcpy(query, pos + 1, sizeof(query));
+		if (*query)
 			esetenv("QUERY_STRING", query, 1);
-			pos[0] = '\0';
-		}
 		/* look for an extension to find PATH_INFO */
 		pos = strrchr(file, '.');
 		if (pos != NULL) {