Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Merge pull request from GHSA-8fp4-rp6c-5gcv
Motivation: - We changed how `PathAndQuery` handles `%2F` (/) in 1.12.0 via #3855. This change introduces an unexpected hole in its double-dot detection logic. - Since we decided not to decode `%2F`, we should not decode it whereever possible. Modifications: - Hardened the double-dot detection logic in `PathAndQuery`. - `Bytes.data` now always store the bytes in their decoded form. We keep whether the byte has to be encoded in a separate `BitSet`. - Split `ArmeriaHttpUtil.decodePath()` into `decodePath()` and `decodePathParam()`. - We don't decode `%2F` in `decodePath()` but we do in `decodePathParam()`. - `RoutingResultBuilder.rawParam()` now uses `decodePathParam()` because `decodePath()` doesn't decode `%2F` anymore. Result: - A path that contains double dots with `%2F`, such as `/files/..%2Fsecrets.txt`, are now rejected correctly.
- Loading branch information