whoopsie daisy 0_0HEAD master

author: frosty <frosty@illegalfirearms.store> 2026-01-22 13:12:26 -0500
committer: frosty <frosty@illegalfirearms.store> 2026-01-22 13:12:26 -0500
commit: 568047e925cbf76c2f187008be721e3e790d0a3d (patch)
tree: 77c66ddfb750b58df201384ea8c63d5c2db59497
parent: 4ed949c2bac6e54aab1789b2f7fd884f587f86c8 (diff)
1 files changed, 39 insertions, 41 deletions
diff --git a/src/routing.c b/src/routing.c
index 1910203..89c6c2c 100644
--- a/src/routing.c
+++ b/src/routing.c
@@ -172,10 +172,10 @@ static int url_decode(char *dst, const char *src, size_t dst_size) {
 
 char *parse_request_url(const char *request_line, UrlParams *params) {
     char method[16];
-    char raw_path_with_query[MAX_PATH_LEN];
+    char raw_url_full[MAX_PATH_LEN];
     char http_version[16];
 
-    if (sscanf(request_line, "%15s %255s %15s", method, raw_path_with_query,
+    if (sscanf(request_line, "%15s %255s %15s", method, raw_url_full,
                http_version) != 3) {
         fprintf(stderr, "[ERROR] parse_request_url: Malformed request line\n");
         return NULL;
@@ -183,75 +183,73 @@ char *parse_request_url(const char *request_line, UrlParams *params) {
 
     params->count = 0;
 
-    char decoded_path[MAX_PATH_LEN];
-    if (url_decode(decoded_path, raw_path_with_query, sizeof(decoded_path)) != 0) {
-        fprintf(stderr, "[SECURITY] Invalid URL encoding in request\n");
-        return NULL;
-    }
-
-    char *working_url_copy = strdup(decoded_path);
-    if (!working_url_copy) {
+    char *working_raw = strdup(raw_url_full);
+    if (!working_raw) {
         perror("Failed to allocate memory for URL copy");
         return NULL;
     }
 
-    char *query_start = strchr(working_url_copy, '?');
+    char *query_start = strchr(working_raw, '?');
     if (query_start) {
-        *query_start = '\0';
+        *query_start = '\0'; 
+
+    }
+
+    char decoded_path[MAX_PATH_LEN];
+    if (url_decode(decoded_path, working_raw, sizeof(decoded_path)) != 0) {
+        fprintf(stderr, "[SECURITY] Invalid URL encoding in path\n");
+        free(working_raw);
+        return NULL;
     }
 
     char canonical_path[MAX_PATH_LEN];
-    if (canonicalize_path(canonical_path, working_url_copy, sizeof(canonical_path)) != 0) {
+    if (canonicalize_path(canonical_path, decoded_path, sizeof(canonical_path)) != 0) {
         fprintf(stderr, "[SECURITY] Path canonicalization failed\n");
-        free(working_url_copy);
+        free(working_raw);
         return NULL;
     }
 
-    char *path_copy_for_validation = strdup(canonical_path);
-    if (path_copy_for_validation) {
-        char *token = strtok(path_copy_for_validation, "/");
+    char *path_check = strdup(canonical_path);
+    if (path_check) {
+        char *token = strtok(path_check, "/");
         while (token) {
             if (!is_safe_path_component(token)) {
                 fprintf(stderr, "[SECURITY] Unsafe path component: %s\n", token);
-                free(path_copy_for_validation);
-                free(working_url_copy);
+                free(path_check);
+                free(working_raw);
                 return NULL;
             }
             token = strtok(NULL, "/");
         }
-        free(path_copy_for_validation);
+        free(path_check);
     }
-
+    
     if (query_start) {
-        char *query_string = query_start + 1;
-        char *token;
+        char *query_string = query_start + 1; 
+
+        char *pair;
         char *saveptr;
 
-        token = strtok_r(query_string, "&", &saveptr);
-        while (token && params->count < MAX_URL_PARAMS) {
-            char *equals = strchr(token, '=');
+        pair = strtok_r(query_string, "&", &saveptr);
+        while (pair && params->count < MAX_URL_PARAMS) {
+            char *equals = strchr(pair, '=');
             if (equals) {
-                size_t key_len = equals - token;
-
-                char decoded_key[MAX_KEY_LEN];
-                if (url_decode(decoded_key, token, key_len + 1) == 0) {
-                    strncpy(params->params[params->count].key, decoded_key, MAX_KEY_LEN - 1);
-                    params->params[params->count].key[MAX_KEY_LEN - 1] = '\0';
-
-                    char decoded_value[MAX_VALUE_LEN];
-                    if (url_decode(decoded_value, equals + 1, sizeof(decoded_value)) == 0) {
-                        strncpy(params->params[params->count].value, decoded_value, MAX_VALUE_LEN - 1);
-                        params->params[params->count].value[MAX_VALUE_LEN - 1] = '\0';
-                        params->count++;
-                    }
+                *equals = '\0'; 
+
+                char *raw_key = pair;
+                char *raw_val = equals + 1;
+
+                if (url_decode(params->params[params->count].key, raw_key, MAX_KEY_LEN) == 0 &&
+                    url_decode(params->params[params->count].value, raw_val, MAX_VALUE_LEN) == 0) {
+                    params->count++;
                 }
             }
-            token = strtok_r(NULL, "&", &saveptr);
+            pair = strtok_r(NULL, "&", &saveptr);
         }
     }
 
     char *final_path = strdup(canonical_path);
-    free(working_url_copy);
+    free(working_raw);
     return final_path;
 }
author	frosty <frosty@illegalfirearms.store>	2026-01-22 13:12:26 -0500
committer	frosty <frosty@illegalfirearms.store>	2026-01-22 13:12:26 -0500
commit	568047e925cbf76c2f187008be721e3e790d0a3d (patch)
tree	77c66ddfb750b58df201384ea8c63d5c2db59497
parent	4ed949c2bac6e54aab1789b2f7fd884f587f86c8 (diff)