On Sat, 15 Aug 2020 15:32:11 -0700 robert <robertrussell.72...@gmail.com> wrote:
Dear Robert, thanks for your patch! > Previously, all hidden targets were rejected with 403, but > /.well-known/ and its contents should be an exception. > > - /* reject hidden target */ > - if (realtarget[0] == '.' || strstr(realtarget, "/.")) { > + /* reject hidden target, except for /.well-known/ > + * and its contents (see RFC 8615) */ > + if (realtarget[0] == '.' || (strstr(realtarget, "/.") && > + strstr(realtarget, "/.well-known/") != realtarget)) { I'm not sure this reflects the correct behaviour, as the RFC states on page 4: Well-known URIs are rooted in the top of the path's hierarchy; they are not well-known by definition in other parts of the path. For example, "/.well-known/example" is a well-known URI, whereas "/foo/.well-known/example" is not. Using strstr() thus is not the correct approach, but I have committed a change to properly support it[0]. With best regards Laslo [0]:https://git.suckless.org/quark/commit/3bd49b24561ce3c7be916ab0abbc78288721ddc4.html