[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] Tlacontrib contribution: Alternative to .listing fi

From: Jan Hudec
Subject: Re: [Gnu-arch-users] Tlacontrib contribution: Alternative to .listing files
Date: Thu, 23 Sep 2004 08:30:57 +0200
User-agent: Mutt/1.5.6+20040818i

On Wed, Sep 22, 2004 at 09:08:51 -0500, John Meinel wrote:
> Jan Hudec wrote:
> >On Wed, Sep 22, 2004 at 13:36:02 +0200, Johannes Berg wrote:
> >
> >>>Few days ago it was suggested, that to avoid problems with stale
> >>>.listing files, the archive could be accessed via a cgi script, that
> >>>would create them on the fly and just cat everything else. So, here is
> >>>such a script:
> >>
> >>Cool. Does this work with multiple archives, that is, can I put it into a
> >>directory where multiple archives reside and then tell arch to access the
> >>archives as
> >>http://uri-to-archives/address@hidden/
> >>
> >>?
> >
> >
> >Yes, you can. It really does equivaltent of:
> >
> >if expr $query_string : '.*\.listing$'; then
> >    ls ${query_string%.listing}
> >else
> >    cat ${query_string}
> >fi
> >
> >but it's in C, so it is faster and more secure.
> >
> >
> [...]
> I'm curious. Do you do a lot of safety checking on the input URL?
> Meaning if I went to the archive and did this:
> http://uri-to-archives/address@hidden/../../../../.listing
> I'm not going to get the "root" listing, right?

No, you are going to get some weird-looking error and a message saying
'Argument with .. received' is going to appear in the access log.

The C version does argument parsing that:
1) Decodes % codes (and dies with error if the codes are incorrect)
2) Strips leading slashes (and backslashes).
3) Dies with an error if it encounters .. as a component or .ht at the
   begining of a component.

The uri-decoding takes place first, so it won't be fooled by % escaped

It also does not accept too long (more that 4KB) argument, but IIRC you
can't send that with the GET method anyway and POST method is not
supported (it won't bother reading stdin).

                                                 Jan 'Bulb' Hudec 

Attachment: signature.asc
Description: Digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]