diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/apache/manifests/mod/fcgid.pp | 7 | ||||
| -rw-r--r-- | modules/apache/templates/urlescape | 9 | ||||
| -rw-r--r-- | modules/apache/templates/vhost_fcgid.conf | 3 | ||||
| -rw-r--r-- | modules/viewvc/files/setcookieredirect.html | 4 |
4 files changed, 20 insertions, 3 deletions
diff --git a/modules/apache/manifests/mod/fcgid.pp b/modules/apache/manifests/mod/fcgid.pp index 6c815681..b8186a64 100644 --- a/modules/apache/manifests/mod/fcgid.pp +++ b/modules/apache/manifests/mod/fcgid.pp @@ -1,4 +1,11 @@ class apache::mod::fcgid { include apache::base package { 'apache-mod_fcgid': } + + file { 'urlescape': + path => '/usr/local/bin/urlescape', + mode => '0755', + notify => Service['apache'], + content => template('apache/urlescape'), + } } diff --git a/modules/apache/templates/urlescape b/modules/apache/templates/urlescape new file mode 100644 index 00000000..8feb7fa4 --- /dev/null +++ b/modules/apache/templates/urlescape @@ -0,0 +1,9 @@ +#!/usr/bin/python3 -u +# URL escape each path given on stdin +import sys +import urllib.parse +while True: + l = sys.stdin.readline() + if not l: + break + print(urllib.parse.quote(l.rstrip("\n"))) diff --git a/modules/apache/templates/vhost_fcgid.conf b/modules/apache/templates/vhost_fcgid.conf index 3aed1ea2..f137c866 100644 --- a/modules/apache/templates/vhost_fcgid.conf +++ b/modules/apache/templates/vhost_fcgid.conf @@ -27,10 +27,11 @@ RewriteRule . - [R=403,L] # set, redirect to a page where it will be set using JavaScript and redirect # back. This will block requests from user agents that do not support # JavaScript, which includes many robots. +RewriteMap urlescape prg:/usr/local/bin/urlescape RewriteCond %{QUERY_STRING} pathrev=|r1= RewriteCond %{REQUEST_URI} !/_check RewriteCond %{HTTP_COOKIE} !session=([^;]+) [novary] -RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?%{QUERY_STRING} [R=302,L] +RewriteRule . %{REQUEST_SCHEME}://%{SERVER_NAME}:%{SERVER_PORT}/_check?to=%{REQUEST_URI}?${urlescape:%{QUERY_STRING}} [R=302,L] # Block abusive spiders by IP address who don't identify themselves in the # User-Agent: string diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html index acb34af6..17322c18 100644 --- a/modules/viewvc/files/setcookieredirect.html +++ b/modules/viewvc/files/setcookieredirect.html @@ -10,9 +10,9 @@ }); let path = params.to; // Sanitize redirect path to avoid malicious arbitrary redirects - if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(path)) { + if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURI(path))) { const current = new URL(window.location.toLocaleString()); - window.location.href = current.origin + path; + window.location.href = current.origin + encodeURI(decodeURI(path)); } else { window.onload = function() { document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; |