From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 6BA6F1F46C for ; Tue, 4 Feb 2020 04:44:25 +0000 (UTC) From: Eric Wong To: meta@public-inbox.org Subject: [PATCH 1/5] www: stricter regexp for 405 errors Date: Tue, 4 Feb 2020 04:44:21 +0000 Message-Id: <20200204044425.14031-2-e@yhbt.net> In-Reply-To: <20200204044425.14031-1-e@yhbt.net> References: <20200204044425.14031-1-e@yhbt.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit List-Id: We want to match "GET" and "HEAD" exactly, not requests which start with "GET" or end with "HEAD". This doesn't seem like a real problem for public-inboxes which are actually public data anyways. --- lib/PublicInbox/WWW.pm | 2 +- t/httpd.t | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm index efe7c8ca..3ce7cc2a 100644 --- a/lib/PublicInbox/WWW.pm +++ b/lib/PublicInbox/WWW.pm @@ -70,7 +70,7 @@ sub call { return invalid_inbox($ctx, $1) || mbox_results($ctx); } } - elsif ($method !~ /\AGET|HEAD\z/) { + elsif ($method !~ /\A(?:GET|HEAD)\z/) { return r(405); } diff --git a/t/httpd.t b/t/httpd.t index 2972afb2..c9756a70 100644 --- a/t/httpd.t +++ b/t/httpd.t @@ -49,6 +49,11 @@ EOF $td = start_script($cmd, undef, { 3 => $sock }); my $host = $sock->sockhost; my $port = $sock->sockport; + { + my $bad = tcp_connect($sock); + print $bad "GETT / HTTP/1.0\r\n\r\n" or die; + like(<$bad>, qr!\AHTTP/1\.[01] 405\b!, 'got 405 on bad req'); + } my $conn = tcp_connect($sock); ok($conn, 'connected'); ok($conn->write("GET / HTTP/1.0\r\n\r\n"), 'wrote data to socket');