Re: [hackers] [quark][PATCH] Don't reject /.well-known/ (see RFC 8615)

From: Laslo Hunhold <dev_AT_frign.de>
Date: Mon, 17 Aug 2020 10:41:30 +0200

On Sat, 15 Aug 2020 15:32:11 -0700
robert <robertrussell.72001_AT_gmail.com> wrote:

Dear Robert,

thanks for your patch!

> Previously, all hidden targets were rejected with 403, but
> /.well-known/ and its contents should be an exception.
>
> - /* reject hidden target */
> - if (realtarget[0] == '.' || strstr(realtarget, "/.")) {
> + /* reject hidden target, except for /.well-known/
> + * and its contents (see RFC 8615) */
> + if (realtarget[0] == '.' || (strstr(realtarget, "/.") &&
> + strstr(realtarget, "/.well-known/") != realtarget)) {

I'm not sure this reflects the correct behaviour, as the RFC states on
page 4:

   Well-known URIs are rooted in the top of the path's hierarchy; they
   are not well-known by definition in other parts of the path. For
   example, "/.well-known/example" is a well-known URI, whereas
   "/foo/.well-known/example" is not.

Using strstr() thus is not the correct approach, but I have committed a
change to properly support it[0].

With best regards

Laslo

[0]:https://git.suckless.org/quark/commit/3bd49b24561ce3c7be916ab0abbc78288721ddc4.html
Received on Mon Aug 17 2020 - 10:41:30 CEST

This archive was generated by hypermail 2.3.0 : Mon Aug 17 2020 - 11:36:33 CEST