mirror of
https://code.mensbeam.com/MensBeam/Arsse.git
synced 2025-01-05 07:22:40 +00:00
Fix potential of erroneous matching of URL containing encoded #.
This commit is contained in:
parent
0972cff660
commit
054200dfc0
2 changed files with 10 additions and 9 deletions
|
@ -61,15 +61,15 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
|
||||||
'items' => [],
|
'items' => [],
|
||||||
'folders' => [
|
'folders' => [
|
||||||
'' => ['GET' => "folderList", 'POST' => "folderAdd"],
|
'' => ['GET' => "folderList", 'POST' => "folderAdd"],
|
||||||
'#' => ['PUT' => "folderRename", 'DELETE' => "folderRemove"],
|
'0' => ['PUT' => "folderRename", 'DELETE' => "folderRemove"],
|
||||||
'#/read' => ['PUT' => "folderMarkRead"],
|
'0/read' => ['PUT' => "folderMarkRead"],
|
||||||
],
|
],
|
||||||
'feeds' => [
|
'feeds' => [
|
||||||
'' => ['GET' => "subscriptionList", 'POST' => "subscriptionAdd"],
|
'' => ['GET' => "subscriptionList", 'POST' => "subscriptionAdd"],
|
||||||
'#' => ['DELETE' => "subscriptionRemove"],
|
'0' => ['DELETE' => "subscriptionRemove"],
|
||||||
'#/move' => ['PUT' => "subscriptionMove"],
|
'0/move' => ['PUT' => "subscriptionMove"],
|
||||||
'#/rename' => ['PUT' => "subscriptionRename"],
|
'0/rename' => ['PUT' => "subscriptionRename"],
|
||||||
'#/read' => ['PUT' => "subscriptionMarkRead"],
|
'0/read' => ['PUT' => "subscriptionMarkRead"],
|
||||||
'all' => ['GET' => "feedListStale"],
|
'all' => ['GET' => "feedListStale"],
|
||||||
'update' => ['GET' => "feedUpdate"],
|
'update' => ['GET' => "feedUpdate"],
|
||||||
],
|
],
|
||||||
|
@ -82,9 +82,9 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
|
||||||
];
|
];
|
||||||
// the first path element is the overall scope of the request
|
// the first path element is the overall scope of the request
|
||||||
$scope = $url[0];
|
$scope = $url[0];
|
||||||
// any URL components which are only digits should be replaced with "#", for easier comparison
|
// any URL components which are only digits should be replaced with "#", for easier comparison (integer segments are IDs, and we don't care about the specific ID)
|
||||||
for($a = 0; $a < sizeof($url); $a++) {
|
for($a = 0; $a < sizeof($url); $a++) {
|
||||||
if($this->validateId($url[$a])) $url[$a] = "#";
|
if($this->validateId($url[$a])) $url[$a] = "0";
|
||||||
}
|
}
|
||||||
// normalize the HTTP method to uppercase
|
// normalize the HTTP method to uppercase
|
||||||
$method = strtoupper($method);
|
$method = strtoupper($method);
|
||||||
|
@ -94,6 +94,7 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
|
||||||
// the URL is evaluated as an array so as to avoid decoded escapes turning invalid URLs into valid ones
|
// the URL is evaluated as an array so as to avoid decoded escapes turning invalid URLs into valid ones
|
||||||
foreach($choices[$scope] as $path => $funcs) {
|
foreach($choices[$scope] as $path => $funcs) {
|
||||||
// add the scope to the path to match against and split it
|
// add the scope to the path to match against and split it
|
||||||
|
$path = (string) $path;
|
||||||
$path = (strlen($path)) ? "$scope/$path" : $scope;
|
$path = (strlen($path)) ? "$scope/$path" : $scope;
|
||||||
$path = explode("/", $path);
|
$path = explode("/", $path);
|
||||||
if($path===$url) {
|
if($path===$url) {
|
||||||
|
|
|
@ -62,7 +62,7 @@ class Request {
|
||||||
// if the path is an empty string or just / nothing needs be done
|
// if the path is an empty string or just / nothing needs be done
|
||||||
if(!in_array($out['path'],["/",""])) {
|
if(!in_array($out['path'],["/",""])) {
|
||||||
$paths = explode("/", $out['path']);
|
$paths = explode("/", $out['path']);
|
||||||
// remove the first and last empty elements, if present (others should remain)
|
// remove the first and last empty elements, if present (they are artefacts of the splitting; others should remain)
|
||||||
if(!strlen($paths[0])) array_shift($paths);
|
if(!strlen($paths[0])) array_shift($paths);
|
||||||
if(!strlen($paths[sizeof($paths)-1])) array_pop($paths);
|
if(!strlen($paths[sizeof($paths)-1])) array_pop($paths);
|
||||||
// %-decode each path element
|
// %-decode each path element
|
||||||
|
|
Loading…
Reference in a new issue