💾 Archived View for gemini.susa.net › gemserv_hack.gmi captured on 2023-03-20 at 17:48:28. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-05-30)
-=-=-=-=-=-=-
I decided to add a test at line 225 of con_handler.rs to return 'not found' for any URL path component that contains a URL encoded character.
I have no need for URL encoded paths on my system, and this seems like a weak spot (any kind of escaping is the bane of software security) that I don't need to have - I recommend it.
If you have recently compiled gemserv with the latest codebase, then the diff below will do that for you, though you can just paste the + lines manually at line 225 of con_handler.rs if you want.
diff --git a/src/con_handler.rs b/src/con_handler.rs index 33cb604..c4d3d51 100644 --- a/src/con_handler.rs +++ b/src/con_handler.rs @@ -222,6 +222,12 @@ pub async fn handle_connection(mut con: conn::Connection, url: url::Url) -> Resu let mut path = PathBuf::new(); + if url.path().contains("%") { + logger::logger(con.peer_addr, Status::NotFound, url.as_str()); + con.send_status(Status::NotFound, None).await?; + return Ok(()); + } + if url.path().starts_with("/~") && con.srv.server.usrdir.unwrap_or(false) { let usr = url.path().trim_start_matches("/~"); let usr: Vec<&str> = usr.splitn(2, '/').collect();
In the unlikely event that this breaks any part of my site, please let me know and I will modify my site files to avoid using URL encoded paths.