From 3f9410e7a2663dc3f341f82687bef3e9dbea336a Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Tue, 15 Apr 2014 07:10:17 +0000 Subject: Revert "cgi: relax path restriction for top-level" CGI mounts should probably handle this internally. We're reverting this since it adds too much potential for abuse with fake/extra prefixes in the URL. We also need to reorder our redirect handling as a result. This reverts commit c394de9f2c91c2c5ed1f7832a5a7cc0206120b7f. --- public-inbox.cgi | 8 ++++---- t/cgi.t | 4 ---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/public-inbox.cgi b/public-inbox.cgi index 1fb96e75..9d60d1fc 100755 --- a/public-inbox.cgi +++ b/public-inbox.cgi @@ -17,7 +17,7 @@ use Encode qw(decode_utf8); use PublicInbox::Config; use URI::Escape qw(uri_escape uri_unescape); use Digest::SHA qw(sha1_hex); -our $LISTNAME_RE = qr!\A(?:/.*?)?/([\w\.\-]+)!; +our $LISTNAME_RE = qr!\A/([\w\.\-]+)!; our $pi_config; BEGIN { $pi_config = PublicInbox::Config->new; @@ -62,7 +62,9 @@ sub main { # top-level indices and feeds if ($path_info eq "/") { r404(); - } elsif ($path_info =~ m!$LISTNAME_RE/(?:index\.html)?\z!o) { + } elsif ($path_info =~ m!$LISTNAME_RE\z!o) { + invalid_list(\%ctx, $1) || redirect_list_index(\%ctx, $cgi); + } elsif ($path_info =~ m!$LISTNAME_RE(?:/|/index\.html)?\z!o) { invalid_list(\%ctx, $1) || get_index(\%ctx, $cgi, 1); } elsif ($path_info =~ m!$LISTNAME_RE/(?:all\.html)?\z!o) { invalid_list(\%ctx, $1) || get_index(\%ctx, $cgi, 0); @@ -85,8 +87,6 @@ sub main { } elsif ($path_info =~ m!$LISTNAME_RE/f/(\S+)\z!o) { redirect_mid_html($cgi, $1, $2); - } elsif ($path_info =~ m!$LISTNAME_RE\z!o) { - invalid_list(\%ctx, $1) || redirect_list_index(\%ctx, $cgi); } else { r404(); } diff --git a/t/cgi.t b/t/cgi.t index 91efca50..611fb604 100644 --- a/t/cgi.t +++ b/t/cgi.t @@ -156,10 +156,6 @@ EOF $res = cgi_run("/test/m/blahblah\@example.com.txt"); like($res->{body}, qr/Message-Id: /, "mid.txt hit"); - - my $pfx = cgi_run("/prefixed/test/m/blahblah\@example.com.txt"); - is_deeply($pfx, $res, "we do not have to be a top-level URL"); - $res = cgi_run("/test/m/blahblah\@example.con.txt"); like($res->{head}, qr/Status: 404 Not Found/, "mid.txt miss"); -- cgit v1.2.3-24-ge0c7