diff options
author | Jon Marius Venstad <jonmv@gmail.com> | 2022-04-06 12:18:52 +0200 |
---|---|---|
committer | Jon Marius Venstad <jonmv@gmail.com> | 2022-04-06 12:18:52 +0200 |
commit | 0a9fa49f691cec760cefc61af664e0506d0e7ef5 (patch) | |
tree | 4339ca5465d14732ed1115d778242d21dff5f95b /container-core | |
parent | 97707f39eb5c759ff331ca5db3982e93864bf666 (diff) |
Require that decoded segments also are safe, all the way down!
Diffstat (limited to 'container-core')
-rw-r--r-- | container-core/src/main/java/com/yahoo/restapi/HttpURL.java | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/container-core/src/main/java/com/yahoo/restapi/HttpURL.java b/container-core/src/main/java/com/yahoo/restapi/HttpURL.java index 7a5986ed067..a876aeea6b5 100644 --- a/container-core/src/main/java/com/yahoo/restapi/HttpURL.java +++ b/container-core/src/main/java/com/yahoo/restapi/HttpURL.java @@ -150,9 +150,11 @@ public class HttpURL { } } - /** Require that the given string contains no {@code '/'}, or anything that could be URL-decoded to one. */ + /** Require that the given string (possibly decoded multiple times) contains no {@code '/'}, and isn't either of {@code "", ".", ".."}. */ public static void requirePathSegment(String value) { - require( ! value.contains("/") && ! value.matches(".*%(25)*(%(25)*32|2)(%(25)*([46])6|F|f).*"), value, "path segment cannot contain '/'"); + while ( ! value.equals(value = decode(value, UTF_8))); + require( ! value.contains("/"), value, "path segment decoded cannot contain '/'"); + Path.requireNonNormalizable(value); } private static void requireNothing(String value) { } |