[Jifty-commit] r865 - in jifty/trunk: lib/Jifty

jifty-commit at lists.jifty.org jifty-commit at lists.jifty.org
Fri Apr 14 16:17:59 EDT 2006


Author: alexmv
Date: Fri Apr 14 16:17:58 2006
New Revision: 865

Modified:
   jifty/trunk/   (props changed)
   jifty/trunk/lib/Jifty/Continuation.pm

Log:
 r12369 at zoq-fot-pik:  chmrr | 2006-04-14 16:17:38 -0400
  * Unescape incoming and stored URIs to make them match better
  * If that fails, warn if it looks dodgy.


Modified: jifty/trunk/lib/Jifty/Continuation.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Continuation.pm	(original)
+++ jifty/trunk/lib/Jifty/Continuation.pm	Fri Apr 14 16:17:58 2006
@@ -153,12 +153,20 @@
     my $request_path = $self->request->path;
 
     # XXX TODO: WE should be using URI canonicalization
-    $called_uri =~ s{/+}{/}g; 
+    my $escape;
+    $called_uri =~ s{/+}{/}g;
+    $called_uri = $escape while $called_uri ne ($escape = URI::Escape::uri_unescape($called_uri));
     $request_path =~ s{/+}{/}g; 
-
+    $request_path = $escape while $request_path ne ($escape = URI::Escape::uri_unescape($request_path));
 
     if (defined $request_path and 
-        ($called_uri ne $request_path . "?J:CALL=" . $self->id)) {
+        ($called_uri !~ /^\Q$request_path\E[?&;]J:CALL=@{[$self->id]}/)) {
+        # If we needed to fix up the path (it contains invalid
+        # characters) then warn, because this may cause infinite
+        # redirects
+        Jifty->log->warn("Redirect to '@{[$self->request->path]}' contains unsafe characters")
+          if $self->request->path =~ m{[^A-Za-z0-9\-_.!~*'()/?&;+]};
+
         # Clone our request
         my $request = Clone::clone($self->request);
         


More information about the Jifty-commit mailing list