summaryrefslogtreecommitdiff
path: root/gitweb
diff options
context:
space:
mode:
authorLibravatar Jay Soffian <jaysoffian@gmail.com>2012-08-08 22:29:26 -0400
committerLibravatar Junio C Hamano <gitster@pobox.com>2012-08-15 11:47:43 -0700
commitcacfc09ba82bfc6b0e1c047247785d56a6054b2f (patch)
tree5cd09dd23e9dfc4024db891f69be9107fb575d84 /gitweb
parentGit 1.7.10.5 (diff)
downloadtgif-cacfc09ba82bfc6b0e1c047247785d56a6054b2f.tar.xz
gitweb: URL-decode $my_url/$my_uri when stripping PATH_INFO
When gitweb is used as a DirectoryIndex, it attempts to strip PATH_INFO on its own, as $cgi->url() fails to do so. However, it fails to account for the fact that PATH_INFO has already been URL-decoded by the web server, but the value returned by $cgi->url() has not been. This causes the stripping to fail whenever the URL contains encoded characters. To see this in action, setup gitweb as a DirectoryIndex and then use it on a repository with a directory containing a space in the name. Navigate to tree view, examine the gitweb generated html and you'll see a link such as: <a href="/test.git/tree/HEAD:/directory with spaces">directory with spaces</a> When clicked on, the browser will URL-encode this link, giving a $cgi->url() of the form: /test.git/tree/HEAD:/directory%20with%20spaces While PATH_INFO is: /test.git/tree/HEAD:/directory with spaces Fix this by calling unescape() on both $my_url and $my_uri before stripping PATH_INFO from them. Signed-off-by: Jay Soffian <jaysoffian@gmail.com> Acked-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gitweb')
-rwxr-xr-xgitweb/gitweb.perl5
1 files changed, 5 insertions, 0 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index a8b5fad266..126d3ef4bd 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -54,6 +54,11 @@ sub evaluate_uri {
# to build the base URL ourselves:
our $path_info = decode_utf8($ENV{"PATH_INFO"});
if ($path_info) {
+ # $path_info has already been URL-decoded by the web server, but
+ # $my_url and $my_uri have not. URL-decode them so we can properly
+ # strip $path_info.
+ $my_url = unescape($my_url);
+ $my_uri = unescape($my_uri);
if ($my_url =~ s,\Q$path_info\E$,, &&
$my_uri =~ s,\Q$path_info\E$,, &&
defined $ENV{'SCRIPT_NAME'}) {