On Sat, 15 Aug 2020 15:32:11 -0700
robert <robertrussell.72...@gmail.com> wrote:
Dear Robert,
thanks for your patch!
> Previously, all hidden targets were rejected with 403, but
> /.well-known/ and its contents should be an exception.
>
> - /* reject hidden target */
> - if (realtarget[0] == '.' || strstr(realtarget, "/.")) {
> + /* reject hidden target, except for /.well-known/
> + * and its contents (see RFC 8615) */
> + if (realtarget[0] == '.' || (strstr(realtarget, "/.") &&
> + strstr(realtarget, "/.well-known/") != realtarget)) {
I'm not sure this reflects the correct behaviour, as the RFC states on
page 4:
Well-known URIs are rooted in the top of the path's hierarchy; they
are not well-known by definition in other parts of the path. For
example, "/.well-known/example" is a well-known URI, whereas
"/foo/.well-known/example" is not.
Using strstr() thus is not the correct approach, but I have committed a
change to properly support it[0].
With best regards
Laslo
[0]:https://git.suckless.org/quark/commit/3bd49b24561ce3c7be916ab0abbc78288721ddc4.html
