request: GET-params and cookies should not deal with non-printable values

sandbox: sandbox-linux: Adapt to newest exile.h
submodules: exile.h: Update
2025-11-04 21:30:32 +01:00 · 2025-11-04 21:29:17 +01:00 · 2025-11-04 21:28:00 +01:00 · 2025-11-03 23:33:20 +01:00
5 changed files with 19 additions and 21 deletions
--- a/2
+++ b/2
@@ -53,7 +53,7 @@ profile: qswiki
 exile.o: submodules/exile.h/exile.c
-	$(CC) -std=c99 -DHAVE_LANDLOCK=0 -c submodules/exile.h/exile.c -o exile.o
+	$(CC) -std=c99 -c submodules/exile.h/exile.c -o exile.o
 qswiki: $(WIKIOBJECTS) exile.o
 	$(CXX) $(shell shuf -e $(WIKIOBJECTS) exile.o ) ${LDFLAGS} ${INCLUDEFLAGS}  -o qswiki
--- a/request.cpp
+++ b/request.cpp
@@ -86,7 +86,15 @@ void Request::initCookies(const std::string &cookiestr)
 std::string Request::get(const std::string &key) const
 {
-	return utils::getKeyOrEmpty(this->getVars, key);
+	std::string value = utils::getKeyOrEmpty(this->getVars, key);
 	/* In general all our expected GET values are printable and, for now, ascii.
 	 * If not, it's not a normal request. So just return an empty string then.
 	 * Exceptions are probably a bit too much */
 	if(!utils::is_printable_ascii(value))
 	{
 		return "";
 	}
 	return value;
 }
 std::string Request::post(const std::string &key) const
@@ -105,23 +113,18 @@ std::string Request::param(const std::string &key) const
 }
 std::string Request::cookie(const std::string &key) const
 {
 	std::string value;
 	for(const Cookie &c : cookies)
 	{
 		if(c.key == key)
 		{
-			return c.value;
+			value = c.value;
 			break;
 		}
 	}
-
+	if(utils::is_printable_ascii(value))
 	{
 		return value;
 	}
 	return "";
 }
 std::vector<std::string> Request::allGet(const std::string &key)
 {
 	return utils::getAll(this->getVars, key);
 }
 std::vector<std::string> Request::allPost(const std::string &key)
 {
 	return utils::getAll(this->postVars, key);
 }
--- a/request.h
+++ b/request.h
@@ -34,9 +34,6 @@ class Request
 	std::string post(const std::string &key) const;
 	std::string cookie(const std::string &key) const;
 	std::string param(const std::string &key) const;
 	std::vector<std::string> allGet(const std::string &key);
 	std::vector<std::string> allPost(const std::string &key);
 	const std::vector<Cookie> &getCookies() const
 	{
 		return this->cookies;
--- a/sandbox/sandbox-linux.cpp
+++ b/sandbox/sandbox-linux.cpp
@@ -44,7 +44,7 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 	struct exile_policy *policy = exile_init_policy();
 	if(policy == NULL)
 	{
-		Logger::error() << "Failed to init sandboxing policy (worker) ";
+		Logger::error() << "Failed to init sandboxing policy";
 		return false;
 	}
 	for(unsigned int i = 0; i < fsPaths.size(); i++)
@@ -55,10 +55,8 @@ bool SandboxLinux::enable(std::vector<std::string> fsPaths)
 			exile_append_path_policies(policy, EXILE_FS_ALLOW_ALL_READ | EXILE_FS_ALLOW_ALL_WRITE, path.c_str());
 		}
 	}
 	policy->drop_caps = 1;
 	policy->not_dumpable = 1;
 	policy->no_new_privs = 1;
 	policy->mount_path_policies_to_chroot = 1;
 	policy->vow_promises = exile_vows_from_str("stdio wpath cpath rpath inet unix thread");
 	if(exile_enable_policy(policy) != 0)
 	{
--- a/submodules/exile.h
+++ b/submodules/exile.h
Author	SHA1	Message	Date
Albert S.	ae1d33a14e	request: GET-params and cookies should not deal with non-printable values	2025-11-04 21:30:32 +01:00
Albert S.	610da575ea	sandbox: sandbox-linux: Adapt to newest exile.h	2025-11-04 21:29:17 +01:00
Albert S.	9b129f0255	submodules: exile.h: Update	2025-11-04 21:28:00 +01:00
Albert S.	8e77116027	Makefile: Don't hard-disable landlock anymore	2025-11-03 23:33:20 +01:00