solene
/
vger
5
10
Fork 4
Code Issues Pull Requests 2 Releases Activity

remove any query_string before chdir #4

Merged
solene merged 1 commits from phoebos/vger:query_string_slashes into master 2022-03-26 08:27:25 +00:00
Conversation 1 Commits 1 Files Changed 1 +11 -6
phoebos commented 2022-03-19 14:57:13 +00:00
Contributor
Copy Link

a query string could contain a '/' character, which would make vger try
to chdir to an incorrect directory. remove the query string before this,
and before percent-decoding (in case there is an encoded '?'). This
should happen even if we are not doing cgi, because some clients might
send a query string anyway, which should be ignored.

found this bug from this request:

Mar 15 20:20:21 bvnf vger: request gemini://bvnf.space/robots.txt?robot=true&uri=gemini://gemini.bortzmeyer.org/software/lupa/
Mar 15 20:20:21 bvnf vger: failed to chdir(robots.txt?robot=true&uri=gemini://gemini.bortzmeyer.org/software/lupa)

(the request should have been percent-encoded, but vger still shouldn't separate query strings so late)

a query string could contain a '/' character, which would make vger try to chdir to an incorrect directory. remove the query string before this, and before percent-decoding (in case there is an encoded '?'). This should happen even if we are not doing cgi, because some clients might send a query string anyway, which should be ignored. found this bug from this request: ``` Mar 15 20:20:21 bvnf vger: request gemini://bvnf.space/robots.txt?robot=true&uri=gemini://gemini.bortzmeyer.org/software/lupa/ Mar 15 20:20:21 bvnf vger: failed to chdir(robots.txt?robot=true&uri=gemini://gemini.bortzmeyer.org/software/lupa) ``` (the request should have been percent-encoded, but vger still shouldn't separate query strings so late)
phoebos added 1 commit 2022-03-19 14:57:13 +00:00
394b86bca8
remove any query_string before chdir 
a query string could contain a '/' character, which would make vger try
to chdir to an incorrect directory. remove the query_string before this,
and before percent-decoding (in case there is an encoded '?'). This
should happen even if we are not doing cgi, because some clients might
send a query_string anyway, which should be ignored.
solene merged commit 8efcdb7512 into master 2022-03-26 08:27:25 +00:00
solene commented 2022-03-26 08:31:23 +00:00
Owner
Copy Link

thank you very much for the fix

thank you very much for the fix
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: solene/vger#4
No description provided.
Delete Branch "phoebos/vger:query_string_slashes"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?