html: properly percent-escape URLs

The only valid characters for a URL are unreserved characters a-zA-Z0-9_-.~ and the reserved characters !*'();:@&=+$,/?%#[] , as per RFC 3986. Everything else must be escaped. Additionally, the # and ? always have special meaning, and the &, =, and + have special meaning in a query string, so they too must be escaped. To make this easier, a table of escapes is now used so that we do not have to call fmt() for each character; if the entry is 0, no escaping is needed. Signed-off-by: Mark Lodato <lodatom@gmail.com>
author: Mark Lodato 2010-02-09 10:12:43 -0500
committer: Mark Lodato 2010-02-09 10:12:43 -0500
commit: a2c6355f9fdede78ce46aeee39ef649637aaadf9 (patch)
tree: 4ed595f688691e7a35c5684ca59164bcc777b74c /html.c
parent: 8aab27f24de70acfbdcee31c634a4b1facf23b92 (diff)
download: cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.tar.gz
cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.tar.bz2
cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.zip
1 files changed, 32 insertions, 4 deletions
diff --git a/html.c b/html.c
index 4033200..337baeb 100644
--- a/html.c
+++ b/html.c
@@ -13,6 +13,32 @@
 #include <string.h>
 #include <errno.h>
+/* Percent-encoding of each character, except: a-zA-Z0-9!$()*,./:;@- */
+static const char* url_escape_table[256] = {
+        "%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09",
+        "%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%10", "%11", "%12", "%13",
+        "%14", "%15", "%16", "%17", "%18", "%19", "%1a", "%1b", "%1c", "%1d",
+        "%1e", "%1f", "%20", 0, "%22", "%23", 0, "%25", "%26", "%27", 0, 0, 0,
+        "%2b", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%3c", "%3d",
+        "%3e", "%3f", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, "%5c", 0, "%5e", 0, "%60", 0, 0, 0, 0, 0,
+        0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%7b",
+        "%7c", "%7d", 0, "%7f", "%80", "%81", "%82", "%83", "%84", "%85",
+        "%86", "%87", "%88", "%89", "%8a", "%8b", "%8c", "%8d", "%8e", "%8f",
+        "%90", "%91", "%92", "%93", "%94", "%95", "%96", "%97", "%98", "%99",
+        "%9a", "%9b", "%9c", "%9d", "%9e", "%9f", "%a0", "%a1", "%a2", "%a3",
+        "%a4", "%a5", "%a6", "%a7", "%a8", "%a9", "%aa", "%ab", "%ac", "%ad",
+        "%ae", "%af", "%b0", "%b1", "%b2", "%b3", "%b4", "%b5", "%b6", "%b7",
+        "%b8", "%b9", "%ba", "%bb", "%bc", "%bd", "%be", "%bf", "%c0", "%c1",
+        "%c2", "%c3", "%c4", "%c5", "%c6", "%c7", "%c8", "%c9", "%ca", "%cb",
+        "%cc", "%cd", "%ce", "%cf", "%d0", "%d1", "%d2", "%d3", "%d4", "%d5",
+        "%d6", "%d7", "%d8", "%d9", "%da", "%db", "%dc", "%dd", "%de", "%df",
+        "%e0", "%e1", "%e2", "%e3", "%e4", "%e5", "%e6", "%e7", "%e8", "%e9",
+        "%ea", "%eb", "%ec", "%ed", "%ee", "%ef", "%f0", "%f1", "%f2", "%f3",
+        "%f4", "%f5", "%f6", "%f7", "%f8", "%f9", "%fa", "%fb", "%fc", "%fd",
+        "%fe", "%ff"
+};
 int htmlfd = STDOUT_FILENO;
 char *fmt(const char *format, ...)
@@ -135,9 +161,10 @@ void html_url_path(const char *txt)
        const char *t = txt;
        while(t && *t){
                int c = *t;
-                if (c=='"' || c=='#' || c=='\'' || c=='?') {
+                const char *e = url_escape_table[c];
+                if (e && c!='+' && c!='&' && c!='+') {
                        write(htmlfd, txt, t - txt);
-                        write(htmlfd, fmt("%%%2x", c), 3);
+                        write(htmlfd, e, 3);
                        txt = t+1;
                }
                t++;
@@ -151,9 +178,10 @@ void html_url_arg(const char *txt)
        const char *t = txt;
        while(t && *t){
                int c = *t;
-                if (c=='"' || c=='#' || c=='%' || c=='&' || c=='\'' || c=='+' || c=='?') {
+                const char *e = url_escape_table[c];
+                if (e) {
                        write(htmlfd, txt, t - txt);
-                        write(htmlfd, fmt("%%%2x", c), 3);
+                        write(htmlfd, e, 3);
                        txt = t+1;
                }
                t++;
author	Mark Lodato	2010-02-09 10:12:43 -0500
committer	Mark Lodato	2010-02-09 10:12:43 -0500
commit	a2c6355f9fdede78ce46aeee39ef649637aaadf9 (patch)
tree	4ed595f688691e7a35c5684ca59164bcc777b74c /html.c
parent	8aab27f24de70acfbdcee31c634a4b1facf23b92 (diff)
download	cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.tar.gz cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.tar.bz2 cgit-a2c6355f9fdede78ce46aeee39ef649637aaadf9.zip

diff --git a/html.c b/html.c index 4033200..337baeb 100644 --- a/html.c +++ b/html.c
@@ -13,6 +13,32 @@
13	#include <string.h>	13	#include <string.h>
14	#include <errno.h>	14	#include <errno.h>
15		15
		16	/* Percent-encoding of each character, except: a-zA-Z0-9!$(),./:;@- /
		17	static const char* url_escape_table[256] = {
		18	"%00", "%01", "%02", "%03", "%04", "%05", "%06", "%07", "%08", "%09",
		19	"%0a", "%0b", "%0c", "%0d", "%0e", "%0f", "%10", "%11", "%12", "%13",
		20	"%14", "%15", "%16", "%17", "%18", "%19", "%1a", "%1b", "%1c", "%1d",
		21	"%1e", "%1f", "%20", 0, "%22", "%23", 0, "%25", "%26", "%27", 0, 0, 0,
		22	"%2b", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%3c", "%3d",
		23	"%3e", "%3f", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
		24	0, 0, 0, 0, 0, 0, 0, 0, 0, "%5c", 0, "%5e", 0, "%60", 0, 0, 0, 0, 0,
		25	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, "%7b",
		26	"%7c", "%7d", 0, "%7f", "%80", "%81", "%82", "%83", "%84", "%85",
		27	"%86", "%87", "%88", "%89", "%8a", "%8b", "%8c", "%8d", "%8e", "%8f",
		28	"%90", "%91", "%92", "%93", "%94", "%95", "%96", "%97", "%98", "%99",
		29	"%9a", "%9b", "%9c", "%9d", "%9e", "%9f", "%a0", "%a1", "%a2", "%a3",
		30	"%a4", "%a5", "%a6", "%a7", "%a8", "%a9", "%aa", "%ab", "%ac", "%ad",
		31	"%ae", "%af", "%b0", "%b1", "%b2", "%b3", "%b4", "%b5", "%b6", "%b7",
		32	"%b8", "%b9", "%ba", "%bb", "%bc", "%bd", "%be", "%bf", "%c0", "%c1",
		33	"%c2", "%c3", "%c4", "%c5", "%c6", "%c7", "%c8", "%c9", "%ca", "%cb",
		34	"%cc", "%cd", "%ce", "%cf", "%d0", "%d1", "%d2", "%d3", "%d4", "%d5",
		35	"%d6", "%d7", "%d8", "%d9", "%da", "%db", "%dc", "%dd", "%de", "%df",
		36	"%e0", "%e1", "%e2", "%e3", "%e4", "%e5", "%e6", "%e7", "%e8", "%e9",
		37	"%ea", "%eb", "%ec", "%ed", "%ee", "%ef", "%f0", "%f1", "%f2", "%f3",
		38	"%f4", "%f5", "%f6", "%f7", "%f8", "%f9", "%fa", "%fb", "%fc", "%fd",
		39	"%fe", "%ff"
		40	};
		41
16	int htmlfd = STDOUT_FILENO;	42	int htmlfd = STDOUT_FILENO;
17		43
18	char fmt(const char format, ...)	44	char fmt(const char format, ...)
@@ -135,9 +161,10 @@ void html_url_path(const char *txt)
135	const char *t = txt;	161	const char *t = txt;
136	while(t && *t){	162	while(t && *t){
137	int c = *t;	163	int c = *t;
138	if (c=='"' \|\| c=='#' \|\| c=='\'' \|\| c=='?') {	164	const char *e = url_escape_table[c];
		165	if (e && c!='+' && c!='&' && c!='+') {
139	write(htmlfd, txt, t - txt);	166	write(htmlfd, txt, t - txt);
140	write(htmlfd, fmt("%%%2x", c), 3);	167	write(htmlfd, e, 3);
141	txt = t+1;	168	txt = t+1;
142	}	169	}
143	t++;	170	t++;
@@ -151,9 +178,10 @@ void html_url_arg(const char *txt)
151	const char *t = txt;	178	const char *t = txt;
152	while(t && *t){	179	while(t && *t){
153	int c = *t;	180	int c = *t;
154	if (c=='"' \|\| c=='#' \|\| c=='%' \|\| c=='&' \|\| c=='\'' \|\| c=='+' \|\| c=='?') {	181	const char *e = url_escape_table[c];
		182	if (e) {
155	write(htmlfd, txt, t - txt);	183	write(htmlfd, txt, t - txt);
156	write(htmlfd, fmt("%%%2x", c), 3);	184	write(htmlfd, e, 3);
157	txt = t+1;	185	txt = t+1;
158	}	186	}
159	t++;	187	t++;