1
1
Fork 0
mirror of https://code.mensbeam.com/MensBeam/Arsse.git synced 2025-01-05 07:22:40 +00:00

Fix potential of erroneous matching of URL containing encoded #.

This commit is contained in:
J. King 2017-05-20 08:57:24 -04:00
parent 0972cff660
commit 054200dfc0
2 changed files with 10 additions and 9 deletions

View file

@ -61,15 +61,15 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
'items' => [], 'items' => [],
'folders' => [ 'folders' => [
'' => ['GET' => "folderList", 'POST' => "folderAdd"], '' => ['GET' => "folderList", 'POST' => "folderAdd"],
'#' => ['PUT' => "folderRename", 'DELETE' => "folderRemove"], '0' => ['PUT' => "folderRename", 'DELETE' => "folderRemove"],
'#/read' => ['PUT' => "folderMarkRead"], '0/read' => ['PUT' => "folderMarkRead"],
], ],
'feeds' => [ 'feeds' => [
'' => ['GET' => "subscriptionList", 'POST' => "subscriptionAdd"], '' => ['GET' => "subscriptionList", 'POST' => "subscriptionAdd"],
'#' => ['DELETE' => "subscriptionRemove"], '0' => ['DELETE' => "subscriptionRemove"],
'#/move' => ['PUT' => "subscriptionMove"], '0/move' => ['PUT' => "subscriptionMove"],
'#/rename' => ['PUT' => "subscriptionRename"], '0/rename' => ['PUT' => "subscriptionRename"],
'#/read' => ['PUT' => "subscriptionMarkRead"], '0/read' => ['PUT' => "subscriptionMarkRead"],
'all' => ['GET' => "feedListStale"], 'all' => ['GET' => "feedListStale"],
'update' => ['GET' => "feedUpdate"], 'update' => ['GET' => "feedUpdate"],
], ],
@ -82,9 +82,9 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
]; ];
// the first path element is the overall scope of the request // the first path element is the overall scope of the request
$scope = $url[0]; $scope = $url[0];
// any URL components which are only digits should be replaced with "#", for easier comparison // any URL components which are only digits should be replaced with "#", for easier comparison (integer segments are IDs, and we don't care about the specific ID)
for($a = 0; $a < sizeof($url); $a++) { for($a = 0; $a < sizeof($url); $a++) {
if($this->validateId($url[$a])) $url[$a] = "#"; if($this->validateId($url[$a])) $url[$a] = "0";
} }
// normalize the HTTP method to uppercase // normalize the HTTP method to uppercase
$method = strtoupper($method); $method = strtoupper($method);
@ -94,6 +94,7 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
// the URL is evaluated as an array so as to avoid decoded escapes turning invalid URLs into valid ones // the URL is evaluated as an array so as to avoid decoded escapes turning invalid URLs into valid ones
foreach($choices[$scope] as $path => $funcs) { foreach($choices[$scope] as $path => $funcs) {
// add the scope to the path to match against and split it // add the scope to the path to match against and split it
$path = (string) $path;
$path = (strlen($path)) ? "$scope/$path" : $scope; $path = (strlen($path)) ? "$scope/$path" : $scope;
$path = explode("/", $path); $path = explode("/", $path);
if($path===$url) { if($path===$url) {

View file

@ -62,7 +62,7 @@ class Request {
// if the path is an empty string or just / nothing needs be done // if the path is an empty string or just / nothing needs be done
if(!in_array($out['path'],["/",""])) { if(!in_array($out['path'],["/",""])) {
$paths = explode("/", $out['path']); $paths = explode("/", $out['path']);
// remove the first and last empty elements, if present (others should remain) // remove the first and last empty elements, if present (they are artefacts of the splitting; others should remain)
if(!strlen($paths[0])) array_shift($paths); if(!strlen($paths[0])) array_shift($paths);
if(!strlen($paths[sizeof($paths)-1])) array_pop($paths); if(!strlen($paths[sizeof($paths)-1])) array_pop($paths);
// %-decode each path element // %-decode each path element