badmanners/shimmie2
badmanners/shimmie2
Archived
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add even more hacks onto the pile of hacks for URL parsing, see #1236

Browse source
This commit is contained in:
Shish 2024-09-04 16:42:13 +01:00 committed by Shish
parent b151a029c1
commit 17c43f62e2
1 changed files with 17 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
core/urls.php
View file

@ -87,6 +87,9 @@ function make_link(?string $page = null, ?string $query = null, ?string $fragmen
* can parse it for ourselves * can parse it for ourselves
* - <input type='hidden' name='q' value='post/list'> generates * - <input type='hidden' name='q' value='post/list'> generates
* q=post%2Flist * q=post%2Flist
* - When apache is reverse-proxying https://external.com/img/index.php
* to http://internal:8000/index.php, get_base_href() should return
* /img, however the URL in REQUEST_URI is /index.php, not /img/index.php
* *
* This function should always return strings with no leading slashes * This function should always return strings with no leading slashes
*/ */
@ -94,14 +97,14 @@ function _get_query(?string $uri = null): string
{ {
$parsed_url = parse_url($uri ?? $_SERVER['REQUEST_URI'] ?? ""); $parsed_url = parse_url($uri ?? $_SERVER['REQUEST_URI'] ?? "");
// if we're looking at http://site.com/$INSTALL_DIR/index.php, // if we're looking at http://site.com/.../index.php,
// then get the query from the "q" parameter // then get the query from the "q" parameter
if (($parsed_url["path"] ?? "") == (get_base_href() . "/index.php")) { if (str_ends_with($parsed_url["path"] ?? "", "/index.php")) {
// $q = $_GET["q"] ?? "";
// default to looking at the root // default to looking at the root
$q = ""; $q = "";
// (we need to manually parse the query string because PHP's $_GET // We can't just do `$q = $_GET["q"] ?? "";`, we need to manually
// does an extra round of URL decoding, which we don't want) // parse the query string because PHP's $_GET does an extra round
// of URL decoding, which we don't want
foreach (explode('&', $parsed_url['query'] ?? "") as $z) { foreach (explode('&', $parsed_url['query'] ?? "") as $z) {
$qps = explode('=', $z, 2); $qps = explode('=', $z, 2);
if (count($qps) == 2 && $qps[0] == "q") { if (count($qps) == 2 && $qps[0] == "q") {
@ -118,7 +121,15 @@ function _get_query(?string $uri = null): string
// if we're looking at http://site.com/$INSTALL_DIR/$PAGE, // if we're looking at http://site.com/$INSTALL_DIR/$PAGE,
// then get the query from the path // then get the query from the path
else { else {
$q = substr($parsed_url["path"] ?? "", strlen(get_base_href() . "/")); $base = get_base_href() . "/";
$q = $parsed_url["path"] ?? "";
// sometimes our public URL is /img/foo/bar but after
// reverse-proxying shimmie only sees /foo/bar, so only
// strip off the /img if it's actually there
if (str_starts_with($q, $base)) {
$q = substr($q, strlen($base));
}
} }
assert(!str_starts_with($q, "/")); assert(!str_starts_with($q, "/"));