Skip to content

Commit

Permalink
Support full URIs in the GET request
Browse files Browse the repository at this point in the history
Fixes #1675
  • Loading branch information
Fabrizio Furano committed Apr 12, 2022
1 parent d98818e commit f25b6e8
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 2 deletions.
40 changes: 38 additions & 2 deletions src/XrdHttp/XrdHttpReq.cc
Expand Up @@ -883,15 +883,47 @@ void XrdHttpReq::appendOpaque(XrdOucString &s, XrdSecEntity *secent, char *hash,

}

// Extracts the opaque info from the given url

// Sanitize the resource from the http[s]://[host]/ questionable prefix
// https://github.com/xrootd/xrootd/issues/1675
void XrdHttpReq::sanitizeResourcePfx() {

if (resource.beginswith("https://")) {
// Find the slash that follows the hostname, and keep it
int p = resource.find('/', 8);
resource.erasefromstart(p);
return;
}

if (resource.beginswith("http://")) {
// Find the slash that follows the hostname, and keep it
int p = resource.find('/', 7);
resource.erasefromstart(p);
return;
}
}


// Parse a resource line:
// - sanitize
// - extracts the opaque info from the given url
// - sanitize the resource from http[s]://[host]/ questionable prefix
void XrdHttpReq::parseResource(char *res) {




// Look for the first '?'
char *p = strchr(res, '?');

// Not found, then it's just a filename
if (!p) {
resource.assign(res, 0);

// Some poor client implementations may inject a http[s]://[host]/ prefix
// to the resource string. Here we choose to ignore it as a protection measure
sanitizeResourcePfx();

char *buf = unquote((char *)resource.c_str());
resource.assign(buf, 0);
resourceplusopaque.assign(buf, 0);
Expand All @@ -912,7 +944,11 @@ void XrdHttpReq::parseResource(char *res) {

int cnt = p - res; // Number of chars to copy
resource.assign(res, 0, cnt - 1);


// Some poor client implementations may inject a http[s]://[host]/ prefix
// to the resource string. Here we choose to ignore it as a protection measure
sanitizeResourcePfx();

char *buf = unquote((char *)resource.c_str());
resource.assign(buf, 0);
free(buf);
Expand Down
3 changes: 3 additions & 0 deletions src/XrdHttp/XrdHttpReq.hh
Expand Up @@ -113,6 +113,9 @@ private:
void parseResource(char *url);
// Map an XRootD error code to an appropriate HTTP status code and message
void mapXrdErrorToHttpStatus();

// Sanitize the resource from http[s]://[host]/ questionable prefix
void sanitizeResourcePfx();
public:

XrdHttpReq(XrdHttpProtocol *protinstance) : keepalive(true) {
Expand Down

0 comments on commit f25b6e8

Please sign in to comment.