Revert "cgi: relax path restriction for top-level"

[public-inbox.git] / public-inbox.cgi

diff --git a/public-inbox.cgi b/public-inbox.cgi
index 374b03d4374cfa6cc058d3b215c22405342767b6..9d60d1fc6370f6a9be163279de86110f51ad4bc3 100755 (executable)
--- a/public-inbox.cgi
+++ b/public-inbox.cgi
@@ -15,9 +15,9 @@ use warnings;
 use CGI qw(:cgi :escapeHTML -nosticky); # PSGI/FastCGI/mod_perl compat
 use Encode qw(decode_utf8);
 use PublicInbox::Config;
-use URI::Escape qw(uri_unescape);
+use URI::Escape qw(uri_escape uri_unescape);
 use Digest::SHA qw(sha1_hex);
-our $LISTNAME_RE = qr!\A(?:/.*?)?/([\w\.\-]+)!;
+our $LISTNAME_RE = qr!\A/([\w\.\-]+)!;
 our $pi_config;
 BEGIN {
        $pi_config = PublicInbox::Config->new;
@@ -62,7 +62,9 @@ sub main {
        # top-level indices and feeds
        if ($path_info eq "/") {
                r404();
-       } elsif ($path_info =~ m!$LISTNAME_RE/(?:index\.html)?\z!o) {
+       } elsif ($path_info =~ m!$LISTNAME_RE\z!o) {
+               invalid_list(\%ctx, $1) || redirect_list_index(\%ctx, $cgi);
+       } elsif ($path_info =~ m!$LISTNAME_RE(?:/|/index\.html)?\z!o) {
                invalid_list(\%ctx, $1) || get_index(\%ctx, $cgi, 1);
        } elsif ($path_info =~ m!$LISTNAME_RE/(?:all\.html)?\z!o) {
                invalid_list(\%ctx, $1) || get_index(\%ctx, $cgi, 0);
@@ -85,8 +87,6 @@ sub main {
        } elsif ($path_info =~ m!$LISTNAME_RE/f/(\S+)\z!o) {
                redirect_mid_html($cgi, $1, $2);
 
-       } elsif ($path_info =~ m!$LISTNAME_RE\z!o) {
-               invalid_list(\%ctx, $1) || redirect_list_index(\%ctx, $cgi);
        } else {
                r404();
        }
@@ -172,9 +172,7 @@ sub get_mid_html {
        my $x = mid2blob($ctx);
        return r404() unless $x;
 
-       my $pfx = $cgi->self_url;
-       $pfx =~ s!/m/.+\z!/!; # FIXME: this is not robust
-
+       my $pfx = "../f/" . uri_escape($ctx->{mid}) . ".html";
        require PublicInbox::View;
        require Email::MIME;
        [ "200 OK", {'Content-Type' => 'text/html'},