Skip to content

Commit

Permalink
bug: do not treat ./ as invalid uri
Browse files Browse the repository at this point in the history
Co-authored-by: Pavel Balaev <[email protected]>

Closes #171
  • Loading branch information
eugenepaniot authored and 0x501D committed Mar 28, 2023
1 parent e7f263d commit a3ac19f
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 1 deletion.
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

- Add versioning support.

### Fixed

- Allow dot in path segment.

## [1.4.0] - 2022-12-30

### Added
Expand Down
9 changes: 8 additions & 1 deletion http/server.lua
Original file line number Diff line number Diff line change
Expand Up @@ -746,10 +746,17 @@ local function parse_request(req)
end
p.path_raw = p.path
p.path = uri_unescape(p.path)
if p.path:sub(1, 1) ~= "/" or p.path:find("./", nil, true) ~= nil then
if p.path:sub(1, 1) ~= "/" then
p.error = "invalid uri"
return p
end
for _, path_segment in ipairs(p.path:split('/')) do
if path_segment == "." or path_segment == ".." then
p.error = "invalid uri"
return p
end
end

return p
end

Expand Down
9 changes: 9 additions & 0 deletions test/integration/http_server_requests_test.lua
Original file line number Diff line number Diff line change
Expand Up @@ -417,3 +417,12 @@ g.test_content_type_header_without_render = function()
t.assert_equals(r.status, 200)
t.assert_equals(r.headers['content-type'], 'text/plain; charset=utf-8', 'content-type header')
end

g.test_get_dot_slash = function()
local httpd = g.httpd
httpd:route({
path = '/*dot_slash'
}, function() end)
local r = http_client.get(helpers.base_uri .. '/dot_slash.')
t.assert_equals(r.status, 200)
end

0 comments on commit a3ac19f

Please sign in to comment.