luci-base: don't propagate null bytes in path information

[project/luci.git] / modules / luci-base / luasrc / dispatcher.lua

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 4866727..fc497ca 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -113,7 +113,8 @@ function httpdispatch(request, prefix)
                end
        end
 
-       for node in pathinfo:gmatch("[^/]+") do
+       local node
+       for node in pathinfo:gmatch("[^/%z]+") do
                r[#r+1] = node
        end
 
@@ -136,8 +137,7 @@ local function require_post_security(target)
 
                                if (type(required_val) == "string" and
                                    request_val ~= required_val) or
-                                  (required_val == true and
-                                   (request_val == nil or request_val == ""))
+                                  (required_val == true and request_val == nil)
                                then
                                        return false
                                end