"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: gotwebd: percent-encode querystrings
To:
Omar Polo <op@omarpolo.com>
Cc:
gameoftrees@openbsd.org
Date:
Tue, 6 Sep 2022 18:50:03 +0200

Download raw body.

Thread
On Tue, Sep 06, 2022 at 05:12:14PM +0200, Omar Polo wrote:
> here's a rebased and slightly improved diff.  it makes gotwebd gains a
> few lines of code but I think it's better than revisit every function
> where we print a link and allocate yet another local string that we
> might forget to free and making the output functions even more complex
> to follow.  it also centralize how we generate URLs, hopefully making
> the life easier in the future if we want to change things.
> 
> the changes to the previous version are:
> 
>  - escape the `headref' parametr too
>  - use a consistent ordering of the fields
>  - add a comment before the gotweb_url struct

This seems much saner than what we had before. ok by me, though
I have no time to test right now.

Should we also refuse attempts to encode control-characters into URLs
(byte values between 1 and 31, excluding 9 which is '\t')?
See https://daniel.haxx.se/blog/2022/09/05/a-bug-that-was-23-years-old-or-not/
for reasons why we might want to block them.

A similar issue might affect the decoder (I haven't looked); if that
is the case then we could handle control chars in follow-up commits.