25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-20 16:15:59 +01:00

Handle some malformed URL requests in ejabberd_http (#2687)

This commit is contained in:
Badlop 2018-11-16 11:43:11 +01:00
parent 1d80addb7d
commit 06e9d34018

View File

@ -411,11 +411,11 @@ extract_path_query(#state{request_method = Method,
when Method =:= 'GET' orelse when Method =:= 'GET' orelse
Method =:= 'HEAD' orelse Method =:= 'HEAD' orelse
Method =:= 'DELETE' orelse Method =:= 'OPTIONS' -> Method =:= 'DELETE' orelse Method =:= 'OPTIONS' ->
case catch url_decode_q_split(Path) of case catch url_decode_q_split_normalize(Path) of
{'EXIT', _} -> {State, false}; {'EXIT', Error} ->
{NPath, Query} -> ?DEBUG("Error decoding URL '~p': ~p", [Path, Error]),
LPath = normalize_path([NPE {State, false};
|| NPE <- str:tokens(path_decode(NPath), <<"/">>)]), {LPath, Query} ->
LQuery = case catch parse_urlencoded(Query) of LQuery = case catch parse_urlencoded(Query) of
{'EXIT', _Reason} -> []; {'EXIT', _Reason} -> [];
LQ -> LQ LQ -> LQ
@ -429,11 +429,11 @@ extract_path_query(#state{request_method = Method,
sockmod = _SockMod, sockmod = _SockMod,
socket = _Socket} = State) socket = _Socket} = State)
when (Method =:= 'POST' orelse Method =:= 'PUT') andalso Len>0 -> when (Method =:= 'POST' orelse Method =:= 'PUT') andalso Len>0 ->
case catch url_decode_q_split(Path) of case catch url_decode_q_split_normalize(Path) of
{'EXIT', _} -> {State, false}; {'EXIT', Error} ->
{NPath, _Query} -> ?DEBUG("Error decoding URL '~p': ~p", [Path, Error]),
LPath = normalize_path( {State, false};
[NPE || NPE <- str:tokens(path_decode(NPath), <<"/">>)]), {LPath, _Query} ->
case Method of case Method of
'PUT' -> 'PUT' ->
{State, {LPath, [], Trail}}; {State, {LPath, [], Trail}};
@ -724,6 +724,12 @@ file_format_error(Reason) ->
Text -> Text Text -> Text
end. end.
url_decode_q_split_normalize(Path) ->
{NPath, Query} = url_decode_q_split(Path),
LPath = normalize_path([NPE
|| NPE <- str:tokens(path_decode(NPath), <<"/">>)]),
{LPath, Query}.
% Code below is taken (with some modifications) from the yaws webserver, which % Code below is taken (with some modifications) from the yaws webserver, which
% is distributed under the following license: % is distributed under the following license:
% %