From 97f9a66a3dc13aa4d56eeb7131f0706e2a20a9dd Mon Sep 17 00:00:00 2001
From: RblSb <msrblsb@gmail.com>
Date: Fri, 3 Sep 2021 12:06:53 +0300
Subject: Detect null/ctrl chars

closes #30
---
 src/server/HttpServer.hx | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'src/server/HttpServer.hx')

diff --git a/src/server/HttpServer.hx b/src/server/HttpServer.hx
index c4853ee..7f257a4 100644
--- a/src/server/HttpServer.hx
+++ b/src/server/HttpServer.hx
@@ -50,7 +50,7 @@ class HttpServer {
 	}
 
 	public static function serveFiles(req:IncomingMessage, res:ServerResponse):Void {
-		var url = decodeURI(req.url);
+		var url = safeDecodeURI(req.url);
 		if (url == "/") url = "/index.html";
 		var filePath = dir + url;
 		final ext = Path.extension(filePath).toLowerCase();
@@ -183,7 +183,7 @@ class HttpServer {
 		fn:(req:IncomingMessage) -> Bool
 	):Null<ClientRequest> {
 		final url = try {
-			new URL(decodeURI(url));
+			new URL(safeDecodeURI(url));
 		} catch (e) return null;
 		if (url.host == req.headers["host"]) return null;
 		final options = {
@@ -216,6 +216,16 @@ class HttpServer {
 		return contentType;
 	}
 
+	static final ctrlCharacters = ~/[\u0000-\u001F\u007F-\u009F\u2000-\u200D\uFEFF]/g;
+
+	static function safeDecodeURI(data:String):String {
+		try {
+			data = decodeURI(data);
+		} catch (err) {}
+		data = ctrlCharacters.replace(data, "");
+		return data;
+	}
+
 	static inline function decodeURI(data:String):String {
 		return js.Syntax.code("decodeURI({0})", data);
 	}
-- 
cgit v1.2.3