diff options
author | Karen Arutyunov <karen@codesynthesis.com> | 2018-01-28 00:56:14 +0300 |
---|---|---|
committer | Karen Arutyunov <karen@codesynthesis.com> | 2018-02-08 18:43:02 +0300 |
commit | 4fe188dee733c28b8b7d2d6b3e7d7904d1d30b65 (patch) | |
tree | c089ad2ddf72478b579697f6571cefd8761938cf /libbpkg/manifest.cxx | |
parent | aef171cd9a6948deb379be3515b972a0e9dcce13 (diff) |
Fix repository_url ctor to normalize path
Diffstat (limited to 'libbpkg/manifest.cxx')
-rw-r--r-- | libbpkg/manifest.cxx | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/libbpkg/manifest.cxx b/libbpkg/manifest.cxx index 6a5ff23..11282d0 100644 --- a/libbpkg/manifest.cxx +++ b/libbpkg/manifest.cxx @@ -1446,6 +1446,20 @@ namespace bpkg if (path->absolute ()) bad_url ("absolute path"); + + try + { + path->normalize (false /* actual */, true /* cur_empty */); + } + catch (const invalid_path& e) + { + assert (false); // Can't be here as the path is relative. + } + + // URL shouldn't go past the root directory of a WEB server. + // + if (!path->empty () && *path->begin () == "..") + bad_url ("invalid path"); }; if (casecmp (scheme, "http") == 0) @@ -1495,6 +1509,17 @@ namespace bpkg bad_url ("relative path"); #endif + assert (path->absolute ()); + + try + { + path->normalize (); + } + catch (const invalid_path& e) + { + bad_url ("invalid path"); // Goes past the root directory. + } + if (query) bad_url (); @@ -1506,7 +1531,7 @@ namespace bpkg { try { - path = path_type (url); + path = path_type (url).normalize (); } catch (const invalid_path&) { @@ -1836,9 +1861,12 @@ namespace bpkg // and canonical name. So a/b/../c/1/x/../y and a/c/1/y to be considered // as same location. // + // Note that we need to collapse 'example.com/a/..' to 'example.com/', + // rather than to 'example.com/.'. + // try { - up.normalize (); + up.normalize (false /* actual */, remote () /* cur_empty */); } catch (const invalid_path&) { @@ -2216,7 +2244,7 @@ namespace bpkg try { - ipath.normalize (false, true); // Current dir collapses to an empty one. + ipath.normalize (false /* actual */, true /* cur_empty */); } catch (const invalid_path&) { |