Commit d0350660 authored by Xavier Guimard's avatar Xavier Guimard

More security for path

parent b3413bb9
......@@ -112,7 +112,11 @@ sub handler {
}
# Only words are taken in path
my @path = grep { $_ =~ /^[\.\w]+/ } split /\//, $req->path();
my $last = 0;
my @path = grep {
$last = 1 if ( $_ =~ /[^\.\w]/ );
( $last or /^$/ ? 0 : 1 );
} split /\//, $req->path();
$self->lmLog( "Start routing " . ( $path[0] // 'default route' ), 'debug' );
if ( !@path and $self->defaultRoute ) {
......@@ -136,7 +140,7 @@ sub followPath {
}
if ( $routes->{':'} ) {
my $v = shift @$path;
$req->set_param($routes->{'#'}, $v);
$req->set_param( $routes->{'#'}, $v );
if ( ref( $routes->{':'} ) eq 'CODE' ) {
return $routes->{':'}->( $self, $req, @$path );
}
......
......@@ -62,6 +62,12 @@ ok( $res->[2]->[0] eq 'Auth', 'Get auth result' )
or print "Expect Auth, got $res->[2]->[0]\n";
count(3);
# Pad path test
ok($res = $client->_get('/[]/test'), 'Try a bad path');
ok( $res->[0] == 400, 'Response is 400' );
count(2);
clean();
done_testing( count() );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment