Require that decoded segments also are safe, all the way down!

author: Jon Marius Venstad <jonmv@gmail.com> 2022-04-06 12:18:52 +0200
committer: Jon Marius Venstad <jonmv@gmail.com> 2022-04-06 12:18:52 +0200
commit: 0a9fa49f691cec760cefc61af664e0506d0e7ef5 (patch)
tree: 4339ca5465d14732ed1115d778242d21dff5f95b /container-core
parent: 97707f39eb5c759ff331ca5db3982e93864bf666 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/container-core/src/main/java/com/yahoo/restapi/HttpURL.java b/container-core/src/main/java/com/yahoo/restapi/HttpURL.java
index 7a5986ed067..a876aeea6b5 100644
--- a/container-core/src/main/java/com/yahoo/restapi/HttpURL.java
+++ b/container-core/src/main/java/com/yahoo/restapi/HttpURL.java
@@ -150,9 +150,11 @@ public class HttpURL {
         }
     }
 
-    /** Require that the given string contains no {@code '/'}, or anything that could be URL-decoded to one. */
+    /** Require that the given string (possibly decoded multiple times) contains no {@code '/'}, and isn't either of {@code "", ".", ".."}. */
     public static void requirePathSegment(String value) {
-        require( ! value.contains("/") && ! value.matches(".*%(25)*(%(25)*32|2)(%(25)*([46])6|F|f).*"), value, "path segment cannot contain '/'");
+        while ( ! value.equals(value = decode(value, UTF_8)));
+        require( ! value.contains("/"), value, "path segment decoded cannot contain '/'");
+        Path.requireNonNormalizable(value);
     }
 
     private static void requireNothing(String value) { }
author	Jon Marius Venstad <jonmv@gmail.com>	2022-04-06 12:18:52 +0200
committer	Jon Marius Venstad <jonmv@gmail.com>	2022-04-06 12:18:52 +0200
commit	0a9fa49f691cec760cefc61af664e0506d0e7ef5 (patch)
tree	4339ca5465d14732ed1115d778242d21dff5f95b /container-core
parent	97707f39eb5c759ff331ca5db3982e93864bf666 (diff)