From 06e9d3401803c89ebb243ce78ae5ddf709da3853 Mon Sep 17 00:00:00 2001 From: Badlop Date: Fri, 16 Nov 2018 11:43:11 +0100 Subject: [PATCH] Handle some malformed URL requests in ejabberd_http (#2687) --- src/ejabberd_http.erl | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/ejabberd_http.erl b/src/ejabberd_http.erl index 65a0c2f5d..727b57f8f 100644 --- a/src/ejabberd_http.erl +++ b/src/ejabberd_http.erl @@ -411,11 +411,11 @@ extract_path_query(#state{request_method = Method, when Method =:= 'GET' orelse Method =:= 'HEAD' orelse Method =:= 'DELETE' orelse Method =:= 'OPTIONS' -> - case catch url_decode_q_split(Path) of - {'EXIT', _} -> {State, false}; - {NPath, Query} -> - LPath = normalize_path([NPE - || NPE <- str:tokens(path_decode(NPath), <<"/">>)]), + case catch url_decode_q_split_normalize(Path) of + {'EXIT', Error} -> + ?DEBUG("Error decoding URL '~p': ~p", [Path, Error]), + {State, false}; + {LPath, Query} -> LQuery = case catch parse_urlencoded(Query) of {'EXIT', _Reason} -> []; LQ -> LQ @@ -429,11 +429,11 @@ extract_path_query(#state{request_method = Method, sockmod = _SockMod, socket = _Socket} = State) when (Method =:= 'POST' orelse Method =:= 'PUT') andalso Len>0 -> - case catch url_decode_q_split(Path) of - {'EXIT', _} -> {State, false}; - {NPath, _Query} -> - LPath = normalize_path( - [NPE || NPE <- str:tokens(path_decode(NPath), <<"/">>)]), + case catch url_decode_q_split_normalize(Path) of + {'EXIT', Error} -> + ?DEBUG("Error decoding URL '~p': ~p", [Path, Error]), + {State, false}; + {LPath, _Query} -> case Method of 'PUT' -> {State, {LPath, [], Trail}}; @@ -724,6 +724,12 @@ file_format_error(Reason) -> Text -> Text end. +url_decode_q_split_normalize(Path) -> + {NPath, Query} = url_decode_q_split(Path), + LPath = normalize_path([NPE + || NPE <- str:tokens(path_decode(NPath), <<"/">>)]), + {LPath, Query}. + % Code below is taken (with some modifications) from the yaws webserver, which % is distributed under the following license: %