-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
resolve_file does not decode percent encoding #755
Comments
Looks like it has been like that forever, and definitely does not strip the # Cohttp_lwt_unix.Server.resolve_file ~docroot:"" ~uri:(Uri.of_string "../../list.dat");;
- : string = "../../list.dat"
# Cohttp_lwt_unix.Server.resolve_local_file ~docroot:"" ~uri:(Uri.of_string "../../list.dat")
;;
- : string = "list.dat" |
mseri
added a commit
that referenced
this issue
Mar 16, 2021
Merge resolve_file / resolve_local_file implementations (fixes #755)
mseri
pushed a commit
that referenced
this issue
Mar 16, 2021
Merge Cohttp_async.resolve_local_file, Cohttp_lwt.resolve_local_file, and Cohttp_lwt_unix.resolve_file into one new function, Cohttp.Server_utils.resolve_local_file. (This adds Server_utils as a new module, since there didn't seem to be any other good place for this code). The implementation now correctly handles ../ in the URI (Cohttp_lwt_unix.resolve_file claimed to do so, but actually didn't for file URIs). It percent-decodes the URI path (Cohttp_lwt_unix.resolve_file did not, but the other two already did). It correctly handles the path separators so that we don't get two slashes together (both Cohttp_lwt_unix.resolve_file and Cohttp_async.resolve_local_file got that one wrong). It also doesn't crash if the URI is blank (Cohttp_lwt.resolve_local_file got that wrong). Signed-off-by: Ewan Mellor <ewan@tarides.com>
mseri
added a commit
to mseri/opam-repository
that referenced
this issue
Mar 16, 2021
…ohttp-top, cohttp-async and cohttp-mirage (2.5.5) CHANGES: - `Cohttp_async.resolve_local_file`, `Cohttp_lwt.resolve_local_file` and `Cohttp_lwt_unix.resolve_file` are now the same code under the hood (`Cohttp.Path.resolve_local_file`). The old names have been preserved for compatibility, but will be marked as deprecated in the next release. This changes the behavior of `Cohttp_lwt_unix.resolve_file`: it now percent-decodes the paths and blocks escaping from the docroot correctly. This also fixes and tests the corner cases in these methods when the docroot is empty. (@ewanmellor mirage/ocaml-cohttp#755)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Cohttp_lwt_unix.Server.resolve_file
does not decode the percent encoding in the given URI's path, meaning that it returns an incorrect filename for anything with an encoded character. In the code below,Uri.path
(from mirage/ocaml-uri) returns the encoded form of the path.The fix is easy, but investigating this I found that there are two further implementations of essentially the same function:
(Note that these two implementations at least get the percent-decode correct!)
Why do we have three different implementations of the same function? Is there somewhere sensible that we can put a canonical version?
The text was updated successfully, but these errors were encountered: