kore

Kore is a web application platform for writing scalable, concurrent web based processes in C or Python.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git
commit 15071f5a14b7123b8563d487745c6093f6b9cb3f
parent 21839aeaa2fa372a6790a8b01ad6e22f6b8dd671
Author: Joris Vink <joris@coders.se>
Date:   Sun, 12 Mar 2023 23:33:47 +0100

Change http_argument_urldecode().

Takes a new parameter now `qs`, if set to 1 it'll urldecode
according to how its always done it before.

If not set to 0 (for posts for example), the decoder will allow
\n and \r in addition to the other ones.

Diffstat:

include/kore/http.h | 2+-


src/filemap.c | 2+-


src/http.c | 16+++++++++++-----


3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/include/kore/http.h b/include/kore/http.h
@@ -415,8 +415,8 @@ int		http_state_exists(struct http_request *);
 void		http_state_cleanup(struct http_request *);
 void		*http_state_create(struct http_request *, size_t);
 
-int		http_argument_urldecode(char *);
 int		http_header_recv(struct netbuf *);
+int		http_argument_urldecode(char *, int);
 void		http_populate_qs(struct http_request *);
 void		http_populate_post(struct http_request *);
 void		http_populate_multipart_form(struct http_request *);
diff --git a/src/filemap.c b/src/filemap.c
@@ -195,7 +195,7 @@ filemap_serve(struct http_request *req, const struct filemap_entry *map)
 		return;
 	}
 
-	if (!http_argument_urldecode(fpath)) {
+	if (!http_argument_urldecode(fpath, 1)) {
 		http_response(req, HTTP_STATUS_BAD_REQUEST, NULL, 0);
 		return;
 	}
diff --git a/src/http.c b/src/http.c
@@ -1008,7 +1008,7 @@ http_argument_get(struct http_request *req, const char *name,
 }
 
 int
-http_argument_urldecode(char *arg)
+http_argument_urldecode(char *arg, int url)
 {
 	u_int8_t	v;
 	int		err;
@@ -1046,8 +1046,14 @@ http_argument_urldecode(char *arg)
 		if (err != KORE_RESULT_OK)
 			return (err);
 
-		if (v <= 0x1f || v == 0x7f)
-			return (KORE_RESULT_ERROR);
+		if (url) {
+			if (v <= 0x1f || v == 0x7f)
+				return (KORE_RESULT_ERROR);
+		} else {
+			if ((v <= 0x1f || v == 0x7f) &&
+			    (v != '\n' && v != '\r'))
+				return (KORE_RESULT_ERROR);
+		}
 
 		*in++ = (char)v;
 		p += 3;
@@ -2284,7 +2290,7 @@ http_argument_add(struct http_request *req, char *name, char *value, int qs,
 	struct kore_route_params	*p;
 
 	if (decode) {
-		if (!http_argument_urldecode(name))
+		if (!http_argument_urldecode(name, qs))
 			return;
 	}
 
@@ -2301,7 +2307,7 @@ http_argument_add(struct http_request *req, char *name, char *value, int qs,
 			continue;
 
 		if (decode) {
-			if (!http_argument_urldecode(value))
+			if (!http_argument_urldecode(value, qs))
 				return;
 		}