From: Stefan Sperling Subject: Re: gotwebd: percent-encode querystrings To: Omar Polo Cc: gameoftrees@openbsd.org Date: Tue, 6 Sep 2022 18:50:03 +0200 On Tue, Sep 06, 2022 at 05:12:14PM +0200, Omar Polo wrote: > here's a rebased and slightly improved diff. it makes gotwebd gains a > few lines of code but I think it's better than revisit every function > where we print a link and allocate yet another local string that we > might forget to free and making the output functions even more complex > to follow. it also centralize how we generate URLs, hopefully making > the life easier in the future if we want to change things. > > the changes to the previous version are: > > - escape the `headref' parametr too > - use a consistent ordering of the fields > - add a comment before the gotweb_url struct This seems much saner than what we had before. ok by me, though I have no time to test right now. Should we also refuse attempts to encode control-characters into URLs (byte values between 1 and 31, excluding 9 which is '\t')? See https://daniel.haxx.se/blog/2022/09/05/a-bug-that-was-23-years-old-or-not/ for reasons why we might want to block them. A similar issue might affect the decoder (I haven't looked); if that is the case then we could handle control chars in follow-up commits.