💾 Archived View for gemini.susa.net › gemserv_hack.gmi captured on 2023-11-14 at 07:55:56. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-05-30)
-=-=-=-=-=-=-
I decided to add a test at line 225 of con_handler.rs to return 'not found' for any URL path component that contains a URL encoded character.
I have no need for URL encoded paths on my system, and this seems like a weak spot (any kind of escaping is the bane of software security) that I don't need to have - I recommend it.
If you have recently compiled gemserv with the latest codebase, then the diff below will do that for you, though you can just paste the + lines manually at line 225 of con_handler.rs if you want.
diff --git a/src/con_handler.rs b/src/con_handler.rs
index 33cb604..c4d3d51 100644
--- a/src/con_handler.rs
+++ b/src/con_handler.rs
@@ -222,6 +222,12 @@ pub async fn handle_connection(mut con: conn::Connection, url: url::Url) -> Resu
let mut path = PathBuf::new();
+ if url.path().contains("%") {
+ logger::logger(con.peer_addr, Status::NotFound, url.as_str());
+ con.send_status(Status::NotFound, None).await?;
+ return Ok(());
+ }
+
if url.path().starts_with("/~") && con.srv.server.usrdir.unwrap_or(false) {
let usr = url.path().trim_start_matches("/~");
let usr: Vec<&str> = usr.splitn(2, '/').collect();
In the unlikely event that this breaks any part of my site, please let me know and I will modify my site files to avoid using URL encoded paths.