Remove query params.

Reported by: James Antill
https://bugzilla.redhat.com/show_bug.cgi?id=1099199

darkhttpd.c

@@ -488,8 +488,9 @@ static void consolidate_slashes(char *s) {
     s[left] = '\0';
 }
 
-/* Resolve /./ and /../ in a URL, in-place.  Returns NULL if the URL is
+/* Resolve /./ and /../ in a URL, in-place.  Also strip out query params.
- * invalid/unsafe, or the original buffer if successful.
+ * Returns NULL if the URL is invalid/unsafe, or the original buffer if
+ * successful.
  */
 static char *make_safe_url(char *url) {
     struct {
@@ -500,9 +501,17 @@ static char *make_safe_url(char *url) {
     size_t urllen, i, j, pos;
     int ends_in_slash;
 
-    assert(url != NULL);
+    /* strip query params */
+    for (pos=0; url[pos] != '\0'; pos++) {
+        if (url[pos] == '?') {
+            url[pos] = '\0';
+            break;
+        }
+    }
+
     if (url[0] != '/')
         return NULL;
+
     consolidate_slashes(url);
     urllen = strlen(url);
     if (urllen > 0)

devel/test.py

@@ -205,6 +205,12 @@ class TestFileGet(TestHelper):
     def test_file_get_redundant_dots(self):
         self.get_helper("/././." + self.url)
 
+    def test_file_get_question(self):
+        self.get_helper(self.url + "?")
+
+    def test_file_get_question_query(self):
+        self.get_helper(self.url + "?action=Submit")
+
     def test_file_head(self):
         resp = Conn().get(self.url, method="HEAD")
         status, hdrs, body = parse(resp)

devel/test_make_safe_uri.c

@@ -27,6 +27,7 @@ test(const char *input, const char *expected)
 }
 
 static char const *tests[] = {
+    "", NULL,
     "/", "/",
     "/.", "/",
     "/./", "/",
@@ -48,6 +49,11 @@ static char const *tests[] = {
     "/a/b/../../../c", NULL,
     /* don't forget consolidate_slashes */
     "//a///b////c/////", "/a/b/c/",
+    /* strip query params */
+    "/?a=b", "/",
+    "/index.html?", "/index.html",
+    "/index.html?a", "/index.html",
+    "/index.html?a=b", "/index.html",
     NULL
 };