Will I ever get this right? I put in a fix, please test it. I also added a
long comment explaining the reason behind encoding the URL. I'm replicating it
here:
// Why do we have to encode the key here? It's because this
// HTML is generated by the gateway, and we cannot trust the
// URL. It might have characters which will break the security
// of the page (e.g. close quotes).
//
// So we encode it, and pass it as part of the query string.
// If the user clicks on the "Retrieve anyway", we will get the
// URL as a form argument, decode it and redirect to it. The
// redirect is hopefully secure against funny characters...
//
String encKey = java.net.URLEncoder.encode(key);
String forceKey = makeForceKey();
pw.println("<p><a href=\"/?key=" + encKey + "&force=" +
forceKey + "\">Retrieve anyway</A>, see the <a href=\"/?key=" + encKey +
"&mime=text/plain\">source</A> or <A HREF=\"/\">return</A> to gateway page");
On Sun, Jun 03, 2001 at 12:56:42PM +0200, Stefan Reich wrote:
> >Are you using the latest CVS version? I put in a fix for something very
> >similar after the latest official release went out.
>
> I don't know what you fixed, but the lines I quoted are still in the CVS.
>
> -Stefan
>
> ----- Original Message -----
> From: "Dev Random" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Sunday, June 03, 2001 5:33 AM
> Subject: Re: [freenet-devl] fproxy shouldn't encode slashes
>
>
>
>
> _______________________________________________
> Devl mailing list
> [EMAIL PROTECTED]
> http://lists.freenetproject.org/mailman/listinfo/devl
--
Dev Random
Fingerprint: 3ABC FCEF 1BCE 4528 E4FD 15EB 173A 76D2 6959 DAF1
PGP signature
