From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 10 Apr 2018 09:38:29 +0000 (+0200)
Subject: luci-base: don't propagate null bytes in path information
X-Git-Url: http://git.archive.openwrt.org/?p=project%2Fluci.git;a=commitdiff_plain;h=b194b8882e4d335a265f44c478ea8e3d7b2a99fc;ds=sidebyside

luci-base: don't propagate null bytes in path information

It is possible to inject unescaped markup using a double encoded null byte
via PATH_INFO on certain leaf nodes.

Since there is no legitimate reason to handle null bytes in any part of the
requested url, simply skip over such bytes when parsing the PATH_INFO value.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index 91b86679f..fc497ca9f 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -113,7 +113,8 @@ function httpdispatch(request, prefix)
 		end
 	end
 
-	for node in pathinfo:gmatch("[^/]+") do
+	local node
+	for node in pathinfo:gmatch("[^/%z]+") do
 		r[#r+1] = node
 	end