diff --git a/include/kore/http.h b/include/kore/http.h index c4538a2..c865750 100644 --- a/include/kore/http.h +++ b/include/kore/http.h @@ -415,8 +415,8 @@ int http_state_exists(struct http_request *); void http_state_cleanup(struct http_request *); void *http_state_create(struct http_request *, size_t); -int http_argument_urldecode(char *); int http_header_recv(struct netbuf *); +int http_argument_urldecode(char *, int); void http_populate_qs(struct http_request *); void http_populate_post(struct http_request *); void http_populate_multipart_form(struct http_request *); diff --git a/src/filemap.c b/src/filemap.c index ddb9d48..15fb8d2 100644 --- a/src/filemap.c +++ b/src/filemap.c @@ -195,7 +195,7 @@ filemap_serve(struct http_request *req, const struct filemap_entry *map) return; } - if (!http_argument_urldecode(fpath)) { + if (!http_argument_urldecode(fpath, 1)) { http_response(req, HTTP_STATUS_BAD_REQUEST, NULL, 0); return; } diff --git a/src/http.c b/src/http.c index 5243d5d..626bf06 100644 --- a/src/http.c +++ b/src/http.c @@ -1008,7 +1008,7 @@ http_argument_get(struct http_request *req, const char *name, } int -http_argument_urldecode(char *arg) +http_argument_urldecode(char *arg, int url) { u_int8_t v; int err; @@ -1046,8 +1046,14 @@ http_argument_urldecode(char *arg) if (err != KORE_RESULT_OK) return (err); - if (v <= 0x1f || v == 0x7f) - return (KORE_RESULT_ERROR); + if (url) { + if (v <= 0x1f || v == 0x7f) + return (KORE_RESULT_ERROR); + } else { + if ((v <= 0x1f || v == 0x7f) && + (v != '\n' && v != '\r')) + return (KORE_RESULT_ERROR); + } *in++ = (char)v; p += 3; @@ -2284,7 +2290,7 @@ http_argument_add(struct http_request *req, char *name, char *value, int qs, struct kore_route_params *p; if (decode) { - if (!http_argument_urldecode(name)) + if (!http_argument_urldecode(name, qs)) return; } @@ -2301,7 +2307,7 @@ http_argument_add(struct http_request *req, char *name, char *value, int qs, continue; if (decode) { - if (!http_argument_urldecode(value)) + if (!http_argument_urldecode(value, qs)) return; }