[PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO
@ 2012-08-09  2:29 Jay Soffian
  2012-08-09 15:38 ` Junio C Hamano
  0 siblings, 1 reply; 4+ messages in thread
From: Jay Soffian @ 2012-08-09  2:29 UTC (permalink / raw)
  To: git; +Cc: Jay Soffian, Jakub Narebski, Junio C Hamano

When gitweb is used as a DirectoryIndex, it attempts to strip
PATH_INFO on its own, as $cgi->url() fails to do so.

However, it fails to account for the fact that PATH_INFO has
already been URL-decoded by the web server, but the value
returned by $cgi->url() has not been. This causes the stripping
to fail whenever the URL contains encoded characters.

To see this in action, setup gitweb as a DirectoryIndex and
then use it on a repository with a directory containing a
space in the name. Navigate to tree view, examine the gitweb
generated html and you'll see a link such as:

  <a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a>

When clicked on, the browser will URL-encode this link, giving
a $cgi->url() of the form:

   /test.git/tree/HEAD:/directory%20with%20spaces

While PATH_INFO is:

   /test.git/tree/HEAD:/directory with spaces

Fix this by calling unescape() on both $my_url and $my_uri before
stripping PATH_INFO from them.

Signed-off-by: Jay Soffian <jaysoffian@gmail.com>
---
 gitweb/gitweb.perl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 3d6a705388..7f8c1878d4 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -54,6 +54,11 @@ sub evaluate_uri {
 	# to build the base URL ourselves:
 	our $path_info = decode_utf8($ENV{"PATH_INFO"});
 	if ($path_info) {
+		# $path_info has already been URL-decoded by the web server, but
+		# $my_url and $my_uri have not. URL-decode them so we can properly
+		# strip $path_info.
+		$my_url = unescape($my_url);
+		$my_uri = unescape($my_uri);
 		if ($my_url =~ s,\Q$path_info\E$,, &&
 		    $my_uri =~ s,\Q$path_info\E$,, &&
 		    defined $ENV{'SCRIPT_NAME'}) {
-- 
1.7.11.3

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO
  2012-08-09  2:29 [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO Jay Soffian
@ 2012-08-09 15:38 ` Junio C Hamano
  2012-08-15 18:15   ` Jakub Narebski
  0 siblings, 1 reply; 4+ messages in thread
From: Junio C Hamano @ 2012-08-09 15:38 UTC (permalink / raw)
  To: Jay Soffian; +Cc: git, Jakub Narebski

Jay Soffian <jaysoffian@gmail.com> writes:

> When gitweb is used as a DirectoryIndex, it attempts to strip
> PATH_INFO on its own, as $cgi->url() fails to do so.
>
> However, it fails to account for the fact that PATH_INFO has
> already been URL-decoded by the web server, but the value
> returned by $cgi->url() has not been. This causes the stripping
> to fail whenever the URL contains encoded characters.
>
> To see this in action, setup gitweb as a DirectoryIndex and
> then use it on a repository with a directory containing a
> space in the name. Navigate to tree view, examine the gitweb
> generated html and you'll see a link such as:
>
>   <a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a>
>
> When clicked on, the browser will URL-encode this link, giving
> a $cgi->url() of the form:
>
>    /test.git/tree/HEAD:/directory%20with%20spaces
>
> While PATH_INFO is:
>
>    /test.git/tree/HEAD:/directory with spaces
>
> Fix this by calling unescape() on both $my_url and $my_uri before
> stripping PATH_INFO from them.
>
> Signed-off-by: Jay Soffian <jaysoffian@gmail.com>
> ---

Thanks.  From a cursory look, with the help from the explanation in
the proposed commit log message, the change looks sensible.

I wonder if a breakage like this is something we can catch in one of
the t95xx series of tests, though.

Jakub, Ack?

>  gitweb/gitweb.perl | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 3d6a705388..7f8c1878d4 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -54,6 +54,11 @@ sub evaluate_uri {
>  	# to build the base URL ourselves:
>  	our $path_info = decode_utf8($ENV{"PATH_INFO"});
>  	if ($path_info) {
> +		# $path_info has already been URL-decoded by the web server, but
> +		# $my_url and $my_uri have not. URL-decode them so we can properly
> +		# strip $path_info.
> +		$my_url = unescape($my_url);
> +		$my_uri = unescape($my_uri);
>  		if ($my_url =~ s,\Q$path_info\E$,, &&
>  		    $my_uri =~ s,\Q$path_info\E$,, &&
>  		    defined $ENV{'SCRIPT_NAME'}) {

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO
  2012-08-09 15:38 ` Junio C Hamano
@ 2012-08-15 18:15   ` Jakub Narebski
  2012-08-15 18:47     ` Junio C Hamano
  0 siblings, 1 reply; 4+ messages in thread
From: Jakub Narebski @ 2012-08-15 18:15 UTC (permalink / raw)
  To: Junio C Hamano; +Cc: Jay Soffian, git

On Thu, 9 Aug 2012, Junio C Hamano wrote:
> Jay Soffian <jaysoffian@gmail.com> writes:
> 
> > When gitweb is used as a DirectoryIndex, it attempts to strip
> > PATH_INFO on its own, as $cgi->url() fails to do so.
> >
> > However, it fails to account for the fact that PATH_INFO has
> > already been URL-decoded by the web server, but the value
> > returned by $cgi->url() has not been. This causes the stripping
> > to fail whenever the URL contains encoded characters.
> >
> > To see this in action, setup gitweb as a DirectoryIndex and
> > then use it on a repository with a directory containing a
> > space in the name. Navigate to tree view, examine the gitweb
> > generated html and you'll see a link such as:
> >
> >   <a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a>
> >
> > When clicked on, the browser will URL-encode this link, giving
> > a $cgi->url() of the form:
> >
> >    /test.git/tree/HEAD:/directory%20with%20spaces
> >
> > While PATH_INFO is:
> >
> >    /test.git/tree/HEAD:/directory with spaces
> >
> > Fix this by calling unescape() on both $my_url and $my_uri before
> > stripping PATH_INFO from them.
> >
> > Signed-off-by: Jay Soffian <jaysoffian@gmail.com>
> > ---
> 
> Thanks.  From a cursory look, with the help from the explanation in
> the proposed commit log message, the change looks sensible.
> 
> I wonder if a breakage like this is something we can catch in one of
> the t95xx series of tests, though.

No, it is unfortunately not possible with current test infrastructure
for gitweb.  The gitweb_run from t/gitweb-lib.sh allows to set
PATH_INFO and QUERY_STRING, but does not allow to set up URL.

That might change in the future...

> Jakub, Ack?

Acked-by: Jakub Narebski <jnareb@gmail.com>

Uf ut us bot too late...


-- 
Jakub Narebski
Poland

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO
  2012-08-15 18:15   ` Jakub Narebski
@ 2012-08-15 18:47     ` Junio C Hamano
  0 siblings, 0 replies; 4+ messages in thread
From: Junio C Hamano @ 2012-08-15 18:47 UTC (permalink / raw)
  To: Jakub Narebski; +Cc: Jay Soffian, git

Jakub Narebski <jnareb@gmail.com> writes:

> On Thu, 9 Aug 2012, Junio C Hamano wrote:
>> Jay Soffian <jaysoffian@gmail.com> writes:
>> 
>> > When gitweb is used as a DirectoryIndex, it attempts to strip
>> > PATH_INFO on its own, as $cgi->url() fails to do so.
>> >
>> > However, it fails to account for the fact that PATH_INFO has
>> > already been URL-decoded by the web server, but the value
>> > returned by $cgi->url() has not been. This causes the stripping
>> > to fail whenever the URL contains encoded characters.
>> >
>> > To see this in action, setup gitweb as a DirectoryIndex and
>> > then use it on a repository with a directory containing a
>> > space in the name. Navigate to tree view, examine the gitweb
>> > generated html and you'll see a link such as:
>> >
>> >   <a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a>
>> >
>> > When clicked on, the browser will URL-encode this link, giving
>> > a $cgi->url() of the form:
>> >
>> >    /test.git/tree/HEAD:/directory%20with%20spaces
>> >
>> > While PATH_INFO is:
>> >
>> >    /test.git/tree/HEAD:/directory with spaces
>> >
>> > Fix this by calling unescape() on both $my_url and $my_uri before
>> > stripping PATH_INFO from them.
>> >
>> > Signed-off-by: Jay Soffian <jaysoffian@gmail.com>
>> > ---
>> 
>> Thanks.  From a cursory look, with the help from the explanation in
>> the proposed commit log message, the change looks sensible.
>> 
>> I wonder if a breakage like this is something we can catch in one of
>> the t95xx series of tests, though.
>
> No, it is unfortunately not possible with current test infrastructure
> for gitweb.  The gitweb_run from t/gitweb-lib.sh allows to set
> PATH_INFO and QUERY_STRING, but does not allow to set up URL.
>
> That might change in the future...
>
>> Jakub, Ack?
>
> Acked-by: Jakub Narebski <jnareb@gmail.com>
>
> Uf ut us bot too late...

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2012-08-15 18:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-09  2:29 [PATCH] gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO Jay Soffian
2012-08-09 15:38 ` Junio C Hamano
2012-08-15 18:15   ` Jakub Narebski
2012-08-15 18:47     ` Junio C Hamano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).