Fix potential of erroneous matching of URL containing encoded #.

2025-01-03 14:32:40 +00:00 · 2017-05-20 08:57:24 -04:00 · 2017-05-20 08:57:24 -04:00 · 054200dfc0
commit 054200dfc0
parent 0972cff660
2 changed files with 10 additions and 9 deletions
--- a/lib/REST/NextCloudNews/V1_2.php
+++ b/lib/REST/NextCloudNews/V1_2.php
@ -61,15 +61,15 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
            'items' => [],
            'folders' => [
                ''       => ['GET' => "folderList",   'POST'   => "folderAdd"],
-                '#'      => ['PUT' => "folderRename", 'DELETE' => "folderRemove"],
-                '#/read' => ['PUT' => "folderMarkRead"],
+                '0'      => ['PUT' => "folderRename", 'DELETE' => "folderRemove"],
+                '0/read' => ['PUT' => "folderMarkRead"],
            ],
            'feeds' => [
                ''         => ['GET' => "subscriptionList", 'POST' => "subscriptionAdd"],
-                '#'        => ['DELETE' => "subscriptionRemove"],
-                '#/move'   => ['PUT' => "subscriptionMove"],
-                '#/rename' => ['PUT' => "subscriptionRename"],
-                '#/read'   => ['PUT' => "subscriptionMarkRead"],
+                '0'        => ['DELETE' => "subscriptionRemove"],
+                '0/move'   => ['PUT' => "subscriptionMove"],
+                '0/rename' => ['PUT' => "subscriptionRename"],
+                '0/read'   => ['PUT' => "subscriptionMarkRead"],
                'all'      => ['GET' => "feedListStale"],
                'update'   => ['GET' => "feedUpdate"],
            ],
@ -82,9 +82,9 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
        ];
        // the first path element is the overall scope of the request
        $scope = $url[0];
-        // any URL components which are only digits should be replaced with "#", for easier comparison
+        // any URL components which are only digits should be replaced with "#", for easier comparison (integer segments are IDs, and we don't care about the specific ID)
        for($a = 0; $a < sizeof($url); $a++) {
-            if($this->validateId($url[$a])) $url[$a] = "#";
+            if($this->validateId($url[$a])) $url[$a] = "0";
        }
        // normalize the HTTP method to uppercase
        $method = strtoupper($method);
@ -94,6 +94,7 @@ class V1_2 extends \JKingWeb\Arsse\REST\AbstractHandler {
        // the URL is evaluated as an array so as to avoid decoded escapes turning invalid URLs into valid ones
        foreach($choices[$scope] as $path => $funcs) {
            // add the scope to the path to match against and split it
+            $path = (string) $path;
            $path = (strlen($path)) ? "$scope/$path" : $scope;
            $path = explode("/", $path);
            if($path===$url) {
--- a/lib/REST/Request.php
+++ b/lib/REST/Request.php
@ -62,7 +62,7 @@ class Request {
        // if the path is an empty string or just / nothing needs be done
        if(!in_array($out['path'],["/",""])) {
            $paths = explode("/", $out['path']);
-            // remove the first and last empty elements, if present (others should remain)
+            // remove the first and last empty elements, if present (they are artefacts of the splitting; others should remain)
            if(!strlen($paths[0])) array_shift($paths);
            if(!strlen($paths[sizeof($paths)-1])) array_pop($paths);
            // %-decode each path element