From: Eric Wong <e@yhbt.net>
Date: Tue, 4 Feb 2020 04:44:21 +0000 (+0000)
Subject: www: stricter regexp for 405 errors
X-Git-Tag: v1.3.0~20
X-Git-Url: http://www.git.stargrave.org/?p=public-inbox.git;a=commitdiff_plain;h=c5ce0f75020db9b3fa7dae9958bedcdb08452e04

www: stricter regexp for 405 errors

We want to match "GET" and "HEAD" exactly, not requests which
start with "GET" or end with "HEAD".  This doesn't seem like
a real problem for public-inboxes which are actually public
data anyways.
---

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index efe7c8ca..3ce7cc2a 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -70,7 +70,7 @@ sub call {
 			return invalid_inbox($ctx, $1) || mbox_results($ctx);
 		}
 	}
-	elsif ($method !~ /\AGET|HEAD\z/) {
+	elsif ($method !~ /\A(?:GET|HEAD)\z/) {
 		return r(405);
 	}
 
diff --git a/t/httpd.t b/t/httpd.t
index 2972afb2..c9756a70 100644
--- a/t/httpd.t
+++ b/t/httpd.t
@@ -49,6 +49,11 @@ EOF
 	$td = start_script($cmd, undef, { 3 => $sock });
 	my $host = $sock->sockhost;
 	my $port = $sock->sockport;
+	{
+		my $bad = tcp_connect($sock);
+		print $bad "GETT / HTTP/1.0\r\n\r\n" or die;
+		like(<$bad>, qr!\AHTTP/1\.[01] 405\b!, 'got 405 on bad req');
+	}
 	my $conn = tcp_connect($sock);
 	ok($conn, 'connected');
 	ok($conn->write("GET / HTTP/1.0\r\n\r\n"), 'wrote data to socket');