reject URLs with a userinfo component

2020-06-20 01:42:17 -04:00 · 2020-06-20 01:42:17 -04:00 · 0b8446c58f
parent 1b07b0a594
commit 0b8446c58f
3 changed files with 10 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,13 +2,9 @@

 ### Unreleased

-#### Static Fileserver
-
+- URLs with a userinfo component will now be rejected with a status of 59.
 - Error stack traces are no longer shown when the client prematurely closes
  the connection.
-  
-#### Internal Framework  
-
 - The status code definitions have been updated to match the recent changes
  to the gemini spec:
  - 21 ``SUCCESS_END_OF_SESSION`` -> (removed)
@ -17,8 +13,8 @@
  - 63 ``CERTIFICATE_NOT_ACCEPTED`` -> (removed)
  - 64 ``FUTURE_CERTIFICATE_REJECTED`` -> (removed)
  - 65 ``EXPIRED_CERTIFICATE_REJECTED`` -> (removed)
- If a gemini response returns a twisted.Deferred object, the errback will
-  now be invoked when the TCP connection is closed.
+- If an application response handler returns a twisted.Deferred object, the
+  errback will now be invoked when the TCP connection is closed.
 - Added a new example that demonstrates streaming data to client connections
  (examples/chatroom.py).

--- a/jetforce/app/base.py
+++ b/jetforce/app/base.py
@ -49,7 +49,7 @@ class Request:

        url_parts = urlparse(self.url)
        if not url_parts.hostname:
-            raise ValueError("URL must contain a `hostname` part")
+            raise ValueError("Missing hostname component")

        if not url_parts.scheme:
            # If scheme is missing, infer it to be gemini://
@ -57,6 +57,10 @@ class Request:
        else:
            self.scheme = url_parts.scheme

+        # gemini://username@host/... is forbidden by the specification
+        if self.scheme == "gemini" and url_parts.username:
+            raise ValueError("Invalid userinfo component")
+
        self.hostname = url_parts.hostname
        self.port = url_parts.port

@ -140,7 +144,7 @@ class JetforceApplication:
        try:
            request = Request(environ)
        except Exception:
-            send_status(Status.BAD_REQUEST, "Unrecognized URL format")
+            send_status(Status.BAD_REQUEST, "Invalid URL")
            return

        for route_pattern, callback in self.routes[::-1]:
--- a/jetforce/app/composite.py
+++ b/jetforce/app/composite.py
@ -34,7 +34,7 @@ class CompositeApplication:
        try:
            request = Request(environ)
        except Exception:
-            send_status(Status.BAD_REQUEST, "Unrecognized URL format")
+            send_status(Status.BAD_REQUEST, "Invalid URL")
            return

        if request.hostname in self.application_map: