diff options
author | Jay Soffian <jaysoffian@gmail.com> | 2012-08-08 22:29:26 -0400 |
---|---|---|
committer | Junio C Hamano <gitster@pobox.com> | 2012-08-15 11:47:43 -0700 |
commit | cacfc09ba82bfc6b0e1c047247785d56a6054b2f (patch) | |
tree | 5cd09dd23e9dfc4024db891f69be9107fb575d84 | |
parent | 785ee4960c3d334cbc2b17ab74d2cebdf1b4db64 (diff) | |
download | git-cacfc09ba82bfc6b0e1c047247785d56a6054b2f.tar.gz git-cacfc09ba82bfc6b0e1c047247785d56a6054b2f.tar.xz |
gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO
When gitweb is used as a DirectoryIndex, it attempts to strip
PATH_INFO on its own, as $cgi->url() fails to do so.
However, it fails to account for the fact that PATH_INFO has
already been URL-decoded by the web server, but the value
returned by $cgi->url() has not been. This causes the stripping
to fail whenever the URL contains encoded characters.
To see this in action, setup gitweb as a DirectoryIndex and
then use it on a repository with a directory containing a
space in the name. Navigate to tree view, examine the gitweb
generated html and you'll see a link such as:
<a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a>
When clicked on, the browser will URL-encode this link, giving
a $cgi->url() of the form:
/test.git/tree/HEAD:/directory%20with%20spaces
While PATH_INFO is:
/test.git/tree/HEAD:/directory with spaces
Fix this by calling unescape() on both $my_url and $my_uri before
stripping PATH_INFO from them.
Signed-off-by: Jay Soffian <jaysoffian@gmail.com>
Acked-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rwxr-xr-x | gitweb/gitweb.perl | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index a8b5fad26..126d3ef4b 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -54,6 +54,11 @@ sub evaluate_uri { # to build the base URL ourselves: our $path_info = decode_utf8($ENV{"PATH_INFO"}); if ($path_info) { + # $path_info has already been URL-decoded by the web server, but + # $my_url and $my_uri have not. URL-decode them so we can properly + # strip $path_info. + $my_url = unescape($my_url); + $my_uri = unescape($my_uri); if ($my_url =~ s,\Q$path_info\E$,, && $my_uri =~ s,\Q$path_info\E$,, && defined $ENV{'SCRIPT_NAME'}) { |