Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resolve_file does not decode percent encoding #755

Closed
ewanmellor opened this issue Mar 14, 2021 · 1 comment
Closed

resolve_file does not decode percent encoding #755

ewanmellor opened this issue Mar 14, 2021 · 1 comment
Labels
API Bug

Comments

@ewanmellor
Copy link
Contributor

Cohttp_lwt_unix.Server.resolve_file does not decode the percent encoding in the given URI's path, meaning that it returns an incorrect filename for anything with an encoded character. In the code below, Uri.path (from mirage/ocaml-uri) returns the encoded form of the path.

# cohttp-lwt-unix/src/server.ml:

let resolve_file ~docroot ~uri =
  (* This normalises the Uri and strips out .. characters *)
  let frag = Uri.path (Uri.resolve "" blank_uri uri) in
  Filename.concat docroot frag

The fix is easy, but investigating this I found that there are two further implementations of essentially the same function:

# ./cohttp-lwt/src/server.ml:

 let resolve_local_file ~docroot ~uri =
    let path = Uri.(pct_decode (path (resolve "http" (of_string "/") uri))) in
    let rel_path = String.sub path 1 (String.length path - 1) in
    Filename.concat docroot rel_path

# ./cohttp-async/src/server.ml:

let resolve_local_file ~docroot ~uri =
  (* This normalises the Uri and strips out .. characters *)
  Uri.(pct_decode (path (resolve "" (of_string "/") uri)))
  |> Caml.Filename.concat docroot

(Note that these two implementations at least get the percent-decode correct!)

Why do we have three different implementations of the same function? Is there somewhere sensible that we can put a canonical version?
@mseri mseri added the API label Mar 15, 2021
@mseri
Copy link
Collaborator

mseri commented Mar 15, 2021

Looks like it has been like that forever, and definitely does not strip the .. as advertised:

# Cohttp_lwt_unix.Server.resolve_file ~docroot:"" ~uri:(Uri.of_string "../../list.dat");;
- : string = "../../list.dat"

# Cohttp_lwt_unix.Server.resolve_local_file ~docroot:"" ~uri:(Uri.of_string "../../list.dat")
;;
- : string = "list.dat"

@mseri mseri added the Bug label Mar 15, 2021
@mseri mseri closed this as completed in a39308d Mar 16, 2021
mseri added a commit that referenced this issue Mar 16, 2021
@mseri
Merge pull request #756 from ewanmellor/fix-issue-755
90af82f 
Merge resolve_file / resolve_local_file implementations (fixes #755)
mseri pushed a commit that referenced this issue Mar 16, 2021
@ewanmellor @mseri
Merge resolve_file / resolve_local_file implementations (fixes #755)
6185122 
Merge Cohttp_async.resolve_local_file, Cohttp_lwt.resolve_local_file,
and Cohttp_lwt_unix.resolve_file into one new function,
Cohttp.Server_utils.resolve_local_file.  (This adds Server_utils as a
new module, since there didn't seem to be any other good place for this
code).

The implementation now correctly handles ../ in the URI
(Cohttp_lwt_unix.resolve_file claimed to do so, but actually didn't
for file URIs). It percent-decodes the URI path
(Cohttp_lwt_unix.resolve_file did not, but the other two already did).
It correctly handles the path separators so that we don't get two slashes
together (both Cohttp_lwt_unix.resolve_file and
Cohttp_async.resolve_local_file got that one wrong).  It also doesn't
crash if the URI is blank (Cohttp_lwt.resolve_local_file got that wrong).

Signed-off-by: Ewan Mellor <ewan@tarides.com>
mseri added a commit to mseri/opam-repository that referenced this issue Mar 16, 2021
@mseri
[new release] cohttp-lwt-jsoo, cohttp, cohttp-lwt, cohttp-lwt-unix, c…
52e904c 
…ohttp-top, cohttp-async and cohttp-mirage (2.5.5)

CHANGES:

- `Cohttp_async.resolve_local_file`, `Cohttp_lwt.resolve_local_file` and `Cohttp_lwt_unix.resolve_file`
  are now the same code under the hood (`Cohttp.Path.resolve_local_file`). The old names
  have been preserved for compatibility, but will be marked as deprecated in the next release. This
  changes the behavior of `Cohttp_lwt_unix.resolve_file`: it now percent-decodes the paths and blocks
  escaping from the docroot correctly. This also fixes and tests the corner cases in these methods
  when the docroot is empty. (@ewanmellor mirage/ocaml-cohttp#755)
@mseri mseri mentioned this issue Mar 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ewanmellor @mseri