--- a/src/server/daemon/httprequest.c Sat Jan 28 10:53:46 2017 +0100 +++ b/src/server/daemon/httprequest.c Mon Jan 30 20:54:20 2017 +0100 @@ -234,11 +234,22 @@ } // Get abs_path part of request URI, and canonicalize the path + sstr_t orig_path = absPath; absPath.ptr = util_canonicalize_uri( pool, absPath.ptr, absPath.length, (int*)&absPath.length); + if(!absPath.ptr) { + log_ereport( + LOG_WARN, + "invalid request path: {%.*s}", + (int)orig_path.length, + orig_path.ptr); + pool_destroy(pool); + // TODO: 400 bad request + return 1; + } // Decode the abs_path if(util_uri_unescape_strict(absPath.ptr)) { @@ -250,7 +261,12 @@ rq->rq.reqpb); } else { // TODO: log error - log_ereport(LOG_WARN, "uri unescape failed"); + log_ereport( + LOG_WARN, + "uri unescape failed: {%.*s}", + (int)absPath.length, + absPath.ptr); + // TODO: 400 bad request pblock_kvinsert(pb_key_uri, "/", 1, rq->rq.reqpb); }