From dfd818595b54942cb1adc45f6aed95c9b706e3a8 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Fri, 4 Sep 2020 17:38:30 +1200 Subject: [PATCH] Merge pull request from GHSA-jvf6-h9gj-pmj6 * Add slash prefix to path-rootless or path-noscheme URLs * Update src/anyp/Uri.cc Co-authored-by: Alex Rousskov * restore file trailer GH auto-removes * Remove redundant path-empty check * Removed stale comment left behind by b2ab59a Many things imply a leading `/` in a URI. Their enumeration is likely to (and did) become stale, misleading the reader. * fixup: Remind that the `src` iterator may be at its end We are dereferencing `src` without comparing it to `\0`. To many readers that (incorrectly) implies that we are not done iterating yet. Also fixed branch-added comment indentation. Co-authored-by: Alex Rousskov --- src/anyp/Uri.cc | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc index b745c54..31f02d5 100644 --- a/src/anyp/Uri.cc +++ b/src/anyp/Uri.cc @@ -293,8 +293,9 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl) return false; *dst = '\0'; - // bug 3074: received 'path' starting with '?', '#', or '\0' implies '/' - if (*src == '?' || *src == '#' || *src == '\0') { + // We are looking at path-abempty. + if (*src != '/') { + // path-empty, including the end of the `src` c-string cases urlpath[0] = '/'; dst = &urlpath[1]; } else { @@ -308,11 +309,6 @@ AnyP::Uri::parse(const HttpRequestMethod& method, const SBuf &rawUrl) /* We -could- be at the end of the buffer here */ if (i > l) return false; - /* If the URL path is empty we set it to be "/" */ - if (dst == urlpath) { - *dst = '/'; - ++dst; - } *dst = '\0'; foundPort = scheme.defaultPort(); // may be reset later