summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Nicolai Dagestad2024-09-15 15:03:21 +0200
committerGravatar Nicolai Dagestad2024-09-15 18:39:49 +0200
commitba5cbb6d828165a43826c6afdd71fa2edbdca302 (patch)
tree87290e2f2a97433c35f0ce86cd14cabe9703dd2c
parentMinor code cleaning. (diff)
downloadsnac2-ba5cbb6d828165a43826c6afdd71fa2edbdca302.tar.gz
snac2-ba5cbb6d828165a43826c6afdd71fa2edbdca302.tar.xz
snac2-ba5cbb6d828165a43826c6afdd71fa2edbdca302.zip
URL decode data after splitting the arguments
Data decoding should happen after the parsing if not, a '?', '&', '#' or other character decoded will interfere with the parsing. e.g. the users password contains a '&', then it is truncated on that character, and login will fail.
Diffstat
-rw-r--r--mastoapi.c12
-rw-r--r--xs_fcgi.h6
-rw-r--r--xs_httpd.h5
-rw-r--r--xs_url.h2
4 files changed, 9 insertions, 16 deletions
diff --git a/mastoapi.c b/mastoapi.c
index ec8268c..ffd1982 100644
--- a/mastoapi.c
+++ b/mastoapi.c
@@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path,
262 } 262 }
263 else 263 else
264 if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) { 264 if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) {
265 xs *upl = xs_url_dec(payload); 265 args = xs_url_vars(payload);
266 args = xs_url_vars(upl);
267 } 266 }
268 else 267 else
269 args = xs_dup(xs_dict_get(req, "p_vars")); 268 args = xs_dup(xs_dict_get(req, "p_vars"));
@@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path,
2361 { 2360 {
2362 // Some apps send form data instead of json so we should cater for those 2361 // Some apps send form data instead of json so we should cater for those
2363 if (!xs_is_null(payload)) { 2362 if (!xs_is_null(payload)) {
2364 xs *upl = xs_url_dec(payload); 2363 args = xs_url_vars(payload);
2365 args = xs_url_vars(upl);
2366 } 2364 }
2367 } 2365 }
2368 else 2366 else
@@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path,
2959 { 2957 {
2960 // Some apps send form data instead of json so we should cater for those 2958 // Some apps send form data instead of json so we should cater for those
2961 if (!xs_is_null(payload)) { 2959 if (!xs_is_null(payload)) {
2962 xs *upl = xs_url_dec(payload); 2960 args = xs_url_vars(payload);
2963 args = xs_url_vars(upl);
2964 } 2961 }
2965 } 2962 }
2966 else 2963 else
@@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path,
3194 { 3191 {
3195 // Some apps send form data instead of json so we should cater for those 3192 // Some apps send form data instead of json so we should cater for those
3196 if (!xs_is_null(payload)) { 3193 if (!xs_is_null(payload)) {
3197 xs *upl = xs_url_dec(payload); 3194 args = xs_url_vars(payload);
3198 args = xs_url_vars(upl);
3199 } 3195 }
3200 } 3196 }
3201 else 3197 else
diff --git a/xs_fcgi.h b/xs_fcgi.h
index 0dbd895..6d3b030 100644
--- a/xs_fcgi.h
+++ b/xs_fcgi.h
@@ -179,8 +179,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
179 req = xs_dict_append(req, "method", v); 179 req = xs_dict_append(req, "method", v);
180 else 180 else
181 if (strcmp(k, "REQUEST_URI") == 0) { 181 if (strcmp(k, "REQUEST_URI") == 0) {
182 xs *udp = xs_url_dec(v); 182 xs *pnv = xs_split_n(v, "?", 1);
183 xs *pnv = xs_split_n(udp, "?", 1);
184 183
185 /* store the path */ 184 /* store the path */
186 req = xs_dict_append(req, "path", xs_list_get(pnv, 0)); 185 req = xs_dict_append(req, "path", xs_list_get(pnv, 0));
@@ -233,8 +232,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
233 const char *ct = xs_dict_get(req, "content-type"); 232 const char *ct = xs_dict_get(req, "content-type");
234 233
235 if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) { 234 if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) {
236 xs *upl = xs_url_dec(*payload); 235 p_vars = xs_url_vars(*payload);
237 p_vars = xs_url_vars(upl);
238 } 236 }
239 else 237 else
240 if (*payload && ct && xs_startswith(ct, "multipart/form-data")) { 238 if (*payload && ct && xs_startswith(ct, "multipart/form-data")) {
diff --git a/xs_httpd.h b/xs_httpd.h
index 1782487..02b8ac2 100644
--- a/xs_httpd.h
+++ b/xs_httpd.h
@@ -36,7 +36,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
36 36
37 { 37 {
38 /* split the path with its optional variables */ 38 /* split the path with its optional variables */
39 xs *udp = xs_url_dec(xs_list_get(l2, 1)); 39 const xs_val *udp = xs_list_get(l2, 1);
40 xs *pnv = xs_split_n(udp, "?", 1); 40 xs *pnv = xs_split_n(udp, "?", 1);
41 41
42 /* store the path */ 42 /* store the path */
@@ -75,8 +75,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
75 v = xs_dict_get(req, "content-type"); 75 v = xs_dict_get(req, "content-type");
76 76
77 if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) { 77 if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) {
78 xs *upl = xs_url_dec(*payload); 78 p_vars = xs_url_vars(*payload);
79 p_vars = xs_url_vars(upl);
80 } 79 }
81 else 80 else
82 if (*payload && v && xs_startswith(v, "multipart/form-data")) { 81 if (*payload && v && xs_startswith(v, "multipart/form-data")) {
diff --git a/xs_url.h b/xs_url.h
index d6dd47a..a4f9dc1 100644
--- a/xs_url.h
+++ b/xs_url.h
@@ -53,7 +53,7 @@ xs_dict *xs_url_vars(const char *str)
53 const xs_val *v; 53 const xs_val *v;
54 54
55 xs_list_foreach(args, v) { 55 xs_list_foreach(args, v) {
56 xs *kv = xs_split_n(v, "=", 1); 56 xs *kv = xs_split_n(xs_url_dec(v), "=", 1);
57 57
58 if (xs_list_len(kv) == 2) { 58 if (xs_list_len(kv) == 2) {
59 const char *key = xs_list_get(kv, 0); 59 const char *key = xs_list_get(kv, 0);
HIC SVNT DRACONES