From c7440c2c3366e516ef9b0f4c34093e0c7f5c23d4 Mon Sep 17 00:00:00 2001
From: Runxi Yu <me@runxiyu.org>
Date: Sat, 22 Mar 2025 11:44:59 +0800
Subject: Fix tree/raw redirection and disallow slashes in their path segments

---
 http_server.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'http_server.go')

diff --git a/http_server.go b/http_server.go
index c883cdf..584c48d 100644
--- a/http_server.go
+++ b/http_server.go
@@ -28,7 +28,6 @@ func (router *forgeHTTPRouter) ServeHTTP(w http.ResponseWriter, r *http.Request)
 		return
 	}
 	if segments[len(segments)-1] == "" {
-		// Might assign a trailing bool here
 		segments = segments[:len(segments)-1]
 	}
 
@@ -172,12 +171,20 @@ func (router *forgeHTTPRouter) ServeHTTP(w http.ResponseWriter, r *http.Request)
 			repoFeature := segments[sepIndex+3]
 			switch repoFeature {
 			case "tree":
+				if anyContain(segments[sepIndex+4:], "/") {
+					errorPage400(w, params, "Repo tree paths may not contain slashes in any segments")
+					return
+				}
 				params["rest"] = strings.Join(segments[sepIndex+4:], "/")
 				if len(segments) < sepIndex+5 && redirectDir(w, r) {
 					return
 				}
 				httpHandleRepoTree(w, r, params)
 			case "raw":
+				if anyContain(segments[sepIndex+4:], "/") {
+					errorPage400(w, params, "Repo tree paths may not contain slashes in any segments")
+					return
+				}
 				params["rest"] = strings.Join(segments[sepIndex+4:], "/")
 				if len(segments) < sepIndex+5 && redirectDir(w, r) {
 					return
-- 
cgit v1.2.3