changeset
escape child href in pg propfind
Sat, 14 May 2022 11:18:14 +0200
- author
- Olaf Wintermann <olaf.wintermann@gmail.com>
- date
- Sat, 14 May 2022 11:18:14 +0200
- branch
- webdav
- changeset 356
- eebc3d32c7c1
- parent 355
- 4a7dd7ff92c9
- child 357
- f45e962edf45
escape child href in pg propfind
| src/server/plugins/postgresql/webdav.c | file | annotate | diff | comparison | revisions | |
| src/server/plugins/postgresql/webdav.h | file | annotate | diff | comparison | revisions |
--- a/src/server/plugins/postgresql/webdav.c Sat May 14 10:49:04 2022 +0200 +++ b/src/server/plugins/postgresql/webdav.c Sat May 14 11:18:14 2022 +0200 @@ -523,12 +523,17 @@ log_ereport(LOG_FAILURE, "pg_dav_propfind_do: query returned invalid path"); return 1; } - char *newres_href = pool_malloc(pool, pathlen+2); - memcpy(newres_href, path, pathlen); + if(pathlen > PG_MAX_PATH_LEN) { + log_ereport(LOG_FAILURE, "pg_dav_propfind_do: path too long: resource_id: %s", res_id); + return 1; + } + char *newres_href = pool_malloc(pool, (pathlen*3)+2); + util_uri_escape(newres_href, path); if(iscollection && path[pathlen-1] != '/') { - newres_href[pathlen++] = '/'; + size_t newres_href_len = strlen(newres_href); + newres_href[newres_href_len] = '/'; + newres_href[newres_href_len+1] = '\0'; } - newres_href[pathlen] = '\0'; // new resource resource = response->addresource(response, newres_href);
--- a/src/server/plugins/postgresql/webdav.h Sat May 14 10:49:04 2022 +0200 +++ b/src/server/plugins/postgresql/webdav.h Sat May 14 11:18:14 2022 +0200 @@ -38,7 +38,9 @@ #ifdef __cplusplus extern "C" { #endif - + +#define PG_MAX_PATH_LEN 0x8000 + typedef struct PgWebdavBackend { ResourceData *pg_resource; PGconn *connection;
