From 91af69a41f2963f1f952cb0932ed23cd86cd1093 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 4 Jun 2019 10:19:34 +0000
Subject: www: require ASCII word characters for CSS filenames

Allowing admins to set non-ASCII CSS filenames could
cause unnecessary problems for client and proxies.
---
 lib/PublicInbox/WWW.pm | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index f41f98ed..7ea98204 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -124,7 +124,7 @@ sub call {
 		r301($ctx, $1, $2);
 	} elsif ($path_info =~ m!$INBOX_RE/_/text(?:/(.*))?\z!o) {
 		get_text($ctx, $1, $2);
-	} elsif ($path_info =~ m!$INBOX_RE/([\w\-\.]+)\.css\z!o) {
+	} elsif ($path_info =~ m!$INBOX_RE/([a-zA-Z0-9_\-\.]+)\.css\z!o) {
 		get_css($ctx, $1, $2);
 	} elsif ($path_info =~ m!$INBOX_RE/($OID_RE)/s/\z!o) {
 		get_vcs_object($ctx, $1, $2);
@@ -536,11 +536,15 @@ sub stylesheets_prepare ($$) {
 			$inline_ok = 0;
 		} else {
 			my $fn = $_;
+			my ($key) = (m!([^/]+?)(?:\.css)?\z!i);
+			if ($key !~ /\A[a-zA-Z0-9_\-\.]+\z/) {
+				warn "ignoring $fn, non-ASCII word character\n";
+				next;
+			}
 			open(my $fh, '<', $fn) or do {
 				warn "failed to open $fn: $!\n";
 				next;
 			};
-			my ($key) = (m!([^/]+?)(?:\.css)?\z!i);
 			my $ctime = 0;
 			my $local = do { local $/; <$fh> };
 			if ($local =~ /\S/) {
-- 
cgit v1.2.3-24-ge0c7