💾 Archived View for gemini.susa.net › gemserv_hack.gmi captured on 2023-07-10 at 13:44:24. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-05-30)

-=-=-=-=-=-=-

Gemserv - Just Block All Encoded Paths

I decided to add a test at line 225 of con_handler.rs to return 'not found' for any URL path component that contains a URL encoded character.

I have no need for URL encoded paths on my system, and this seems like a weak spot (any kind of escaping is the bane of software security) that I don't need to have - I recommend it.

If you have recently compiled gemserv with the latest codebase, then the diff below will do that for you, though you can just paste the + lines manually at line 225 of con_handler.rs if you want.

diff --git a/src/con_handler.rs b/src/con_handler.rs
index 33cb604..c4d3d51 100644
--- a/src/con_handler.rs
+++ b/src/con_handler.rs
@@ -222,6 +222,12 @@ pub async fn handle_connection(mut con: conn::Connection, url: url::Url) -> Resu

     let mut path = PathBuf::new();

+    if url.path().contains("%") {
+        logger::logger(con.peer_addr, Status::NotFound, url.as_str());
+        con.send_status(Status::NotFound, None).await?;
+        return Ok(());
+    }
+
     if url.path().starts_with("/~") && con.srv.server.usrdir.unwrap_or(false) {
         let usr = url.path().trim_start_matches("/~");
         let usr: Vec<&str> = usr.splitn(2, '/').collect();

In the unlikely event that this breaks any part of my site, please let me know and I will modify my site files to avoid using URL encoded paths.