diff options
author | Eric Wong <e@80x24.org> | 2023-11-27 10:23:48 +0000 |
---|---|---|
committer | Eric Wong <e@80x24.org> | 2023-11-27 21:25:46 +0000 |
commit | 577e421a0815e66f965bd4317adad5aeea3cc52a (patch) | |
tree | c53ac7d844f0134138ada0605dc6ac0368d4a40b /lib/PublicInbox/MID.pm | |
parent | bedd1b759b3bcaa471bffc97391d8c04cdcbd550 (diff) | |
download | public-inbox-577e421a0815e66f965bd4317adad5aeea3cc52a.tar.gz |
Our use of MID_ESC characters was only intended for the pathname component of URIs and not appropriate for the query string component. So use a different $unsafe parameter list for uri_escape to make the result appropriate for query strings by disallowing [\&\'\+=] characters. Most notably, this change also allows us to accept `/' (slash) unescaped to make dfn: queries nicer to look at. Finally, we'll also add a ascii_html call on the URI-escaped result as an extra safety measure even though it's not really needed. As far as I can tell, the code without this fix didn't result in in an HTML injection since all our uses of uri_escape did escape angle brackets. Reported-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com> Link: https://public-inbox.org/meta/87o7ff4nlk.fsf@collabora.com/ Tested-by: Ricardo Cañuelo <ricardo.canuelo@collabora.com>
Diffstat (limited to 'lib/PublicInbox/MID.pm')
-rw-r--r-- | lib/PublicInbox/MID.pm | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/PublicInbox/MID.pm b/lib/PublicInbox/MID.pm index b1ae9939..97cf3a54 100644 --- a/lib/PublicInbox/MID.pm +++ b/lib/PublicInbox/MID.pm @@ -125,7 +125,7 @@ sub uniq_mids ($;$) { \@ret; } -# RFC3986, section 3.3: +# RFC3986, section 3.3 (pathnames only): sub MID_ESC () { '^A-Za-z0-9\-\._~!\$\&\'\(\)\*\+,;=:@' } sub mid_escape ($) { uri_escape_utf8($_[0], MID_ESC) } |