truh/http.sh
1
0
Fork 0
mirror of https://git.sakamoto.pl/laudom/http.sh.git synced 2025-09-20 16:53:45 +02:00
Code Issues Projects Releases Wiki Activity
277 commits 4 branches 5 tags 630 KiB
Commit graph

207 commits

Author SHA1 Message Date
sdomi
cc1619e797 notORM: fix an off-by-one affecting ops on the second-last column 2024-12-16 20:06:14 +01:00
sdomi
9d62173cfe misc: fix striping garbage from url_decode 2024-12-16 19:34:42 +01:00
sdomi
b251e2736c notORM: fix data_replace_value due to sed quirk 2024-12-16 19:34:23 +01:00
sdomi
a2413d7062 notORM: remove debug echo 2024-12-16 17:57:56 +01:00
sdomi
a00b1b00ee notORM: secfix for sed inconsistently parsing escaped characters 2024-12-15 15:57:44 +01:00
sdomi
e64bdbb0d9 notORM: temporarily disable new parameter parsing on data_replace 2024-12-10 03:19:50 +01:00
sdomi
b0d76ecc9a notORM: split expr generation into _data_gen_expr 2024-12-06 05:19:45 +01:00
sdomi
62e7a9edd9 notORM: implement new syntax for data_yeet + more fixes 2024-12-06 04:04:54 +01:00
sdomi
6d91d057e8 notORM: implement new syntax for data_iter + some fixes 2024-12-06 03:00:25 +01:00
sdomi
a2daafe89a notORM: split argv parsing code into an alias 2024-12-06 01:37:15 +01:00
sdomi
45dc428576 notORM: impl searching for more than one constraint in data_get 2024-12-05 23:50:25 +01:00
sdomi
1c144612de server: normalize x-forwarded-for (somewhat) 2024-12-03 23:48:05 +01:00
sdomi
5ee00c6ead server: fix directory traversal 
In select cases, if the attacker asked for an URL not starting with a slash (/),
a directory traversal bug could have been triggered. The attack is limited to
directories within `${cfg[namespace]}` (default: `app`) which begin with
`${cfg[root]}` (default: `webroot`).

This means that an adversary could traverse to `app/webroot*`. We never
encouraged / suggested keeping multiple webroots in one namespace, thus it's
doubtful whether any HTTP.sh deployment met the criteria.
 2024-12-01 22:52:11 +01:00
sdomi
403ef2b4ee server: normalize a few other things 2024-12-01 22:51:56 +01:00
sdomi
c943b7897e template: prevent expansion on keys (which shouldn't happen anyways) 2024-12-01 22:39:30 +01:00
sdomi
3d8dd9879e server: url_decode all GET params, (we don't care about binary data there) 2024-10-22 16:33:02 +01:00
sdomi
da54143a3f server: remove PHP/Python execution handlers, to be replaced with CGI 2024-10-07 18:09:17 +02:00
sdomi
951517b30d *: better versioning, split off various resources into .resources/ 2024-10-07 17:58:15 +02:00
sdomi
56d2af2cd8 tests: more header parsing tests 2024-10-05 04:36:03 +02:00
sdomi
3c8f848a9a proxy: remove 
While a proxy function is useful, this implementation was unsalvageable.
 2024-10-05 03:17:39 +02:00
famfo
510c372f1d server: add support for getting IP address behind a proxy 2024-10-05 03:05:16 +02:00
famfo
2cc067fc93 server: simplify header parsing code 2024-10-05 03:05:09 +02:00
TheresNoTime
9adbf34fce Add xxd as a required dependency 2024-09-26 23:18:24 +02:00
famfo
b4ea5954ec
 		mime: fix ico/favicon.ico mimetype 2024-09-26 14:04:19 +02:00
sdomi
2fd62dbbba server: fixup non-urlencoded post_data parsing 2024-09-06 00:50:47 +02:00
sdomi
fb8ae0eabc notORM: fix erroneous row return on no match 2024-09-03 22:56:34 +02:00
sdomi
cd0fe42879 cookie: add Path attribute 2024-08-18 00:05:58 +02:00
sdomi
d8a475e11b notORM, account: revert previous fix and employ a workaround for a bash bug 2024-08-17 23:10:10 +02:00
sdomi
11828198ce account: fix bug with empty fields getting omitted 2024-08-17 22:36:47 +02:00
sdomi
12011e5991 notORM: fix not enough delims 2024-08-17 22:30:07 +02:00
sdomi
4b9d4a5fda notORM: fix spurious $delim 2024-08-17 21:57:17 +02:00
sdomi
3db39c4948 notORM: fix typo 2024-08-17 21:35:57 +02:00
sdomi
23de1448e0 worker: setup the runtime 2024-08-17 21:28:23 +02:00
sdomi
11d3c0a899 notORM: replace some tr calls with bashisms 2024-08-17 21:27:32 +02:00
sdomi
1059be1618 server: fixup the parameter and cookie parsing 2024-08-17 05:14:53 +02:00
sdomi
4728b1651f server: rewrite slow sed calls into fast(er) bashisms 2024-08-17 04:51:17 +02:00
sdomi
5fc46f0f53 misc: improve url_decode 2024-08-17 04:14:06 +02:00
sdomi
6a22be0b4d server: fix parameter parsing on very long chains (in GET) 2024-08-17 02:55:54 +02:00
sdomi
69751adc52 server: fix parameter parsing on very long chains 2024-08-15 23:44:49 +02:00
sdomi
691ff46e75 response: fixup the HTTP response code if it got emptied by downstream 2024-08-15 19:50:15 +02:00
sdomi
fb247a6092 server: try to drop invalid connections 2024-08-15 19:45:56 +02:00
sdomi
62fb5556f4 notORM: iter now returns 255 on loop break 2024-08-11 21:58:34 +02:00
sdomi
ef933dd603 account: more checks 2024-08-11 18:39:54 +02:00
sdomi
c595acf6b9 router: more bashisms, less subshells 2024-08-11 03:02:14 +02:00
sdomi
8c29f4ad4e notORM: change iter failure state from 1 to 255 to prevent spontaneous fatals 2024-08-11 02:17:11 +02:00
sdomi
9a8f1dc2e4 response: migrate from printf to 'echo' and 'echo -e' (to prevent % injections) 2024-08-11 01:07:19 +02:00
sdomi
30c494c8e9 notORM: break out of data_iter after first failure 2024-08-10 23:24:04 +02:00
sdomi
5425a8ff14 misc: fix url_encode inconsistencies 2024-08-07 00:02:03 +02:00
sdomi
5b8d492898 account: remember me flag 2024-08-04 01:59:21 +02:00
sdomi
93d02b4295 account: more middleware functions 2024-08-04 01:33:10 +02:00