diff options
| author | Erlang/OTP <otp@erlang.org> | 2020-08-13 16:21:45 +0200 |
|---|---|---|
| committer | Erlang/OTP <otp@erlang.org> | 2020-08-13 16:21:45 +0200 |
| commit | 06ec0fe6ee3a071de81eacb8e207724d7ad3a635 (patch) | |
| tree | 5595a771f029db19429a0b8b0dc4e75889f507e4 | |
| parent | 7d2639a2b908afa70eb5077fa0a71985cc9f04d2 (diff) | |
| parent | 5296ae6c4761f26600c05e447cb0bda78a93b602 (diff) | |
| download | erlang-06ec0fe6ee3a071de81eacb8e207724d7ad3a635.tar.gz | |
Merge branch 'andy/inets/security_issue/ERIERL-522/OTP-16790' into maint-22
* andy/inets/security_issue/ERIERL-522/OTP-16790:
inets, fix an error regarding decode of percent encoded URLs.
| -rw-r--r-- | lib/inets/src/http_server/httpd_util.erl | 10 | ||||
| -rw-r--r-- | lib/inets/test/httpd_SUITE.erl | 11 |
2 files changed, 17 insertions, 4 deletions
diff --git a/lib/inets/src/http_server/httpd_util.erl b/lib/inets/src/http_server/httpd_util.erl index 05cff30243..ce7f184d09 100644 --- a/lib/inets/src/http_server/httpd_util.erl +++ b/lib/inets/src/http_server/httpd_util.erl @@ -406,10 +406,11 @@ flatlength([_H|T],L) -> flatlength([],L) -> L. -%% split_path +%% split_path, URI has been decoded once when validate +%% and should only be decoded once(RFC3986, 2.4). split_path(URI) -> - case uri_string:normalize(URI, [return_map]) of + case uri_string:parse(URI) of #{fragment := Fragment, path := Path, query := Query} -> @@ -439,11 +440,12 @@ split_path([$/|Rest],SoFar) -> split_path([C|Rest],SoFar) -> split_path(Rest,[C|SoFar]). -%% split_script_path +%% split_script_path, URI has been decoded once when validate +%% and should only be decoded once(RFC3986, 2.4). split_script_path(URI) -> - case uri_string:normalize(URI, [return_map]) of + case uri_string:parse(URI) of #{fragment := _Fragment, path := _Path, query := _Query} -> diff --git a/lib/inets/test/httpd_SUITE.erl b/lib/inets/test/httpd_SUITE.erl index 0634f6b63d..f4925e00b4 100644 --- a/lib/inets/test/httpd_SUITE.erl +++ b/lib/inets/test/httpd_SUITE.erl @@ -484,6 +484,17 @@ get(Config) when is_list(Config) -> {header, "Content-Type", "text/html"}, {header, "Date"}, {header, "Server"}, + {version, Version}]), + + ok = httpd_test_lib:verify_request(proplists:get_value(type, Config), Host, + proplists:get_value(port, Config), + transport_opts(Type, Config), + proplists:get_value(node, Config), + http_request("GET /.%252e/.%252e/.%252e/.%252e/.%252e/home/ ", Version, Host), + [{statuscode, 404}, + {header, "Content-Type", "text/html"}, + {header, "Date"}, + {header, "Server"}, {version, Version}]). basic_auth_1_1(Config) when is_list(Config) -> |