From: Lars Ingebrigtsen <larsi@gnus.org>
Date: Sun, 15 Apr 2018 20:20:28 +0000 (+0200)
Subject: Make eww handle "http://a/../../../g"
X-Git-Tag: emacs-27.0.90~5176
X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=a37a14e0a8ee16b7ae53b4dba9b60329e3b4308d;p=emacs.git

Make eww handle "http://a/../../../g"

* lisp/net/eww.el (eww): Strip leading elements off URLs on the
form "http://a/../../../g", because that's what all the other
browsers do (bug#8622).
---

diff --git a/lisp/net/eww.el b/lisp/net/eww.el
index 49bf10d4ebe..f7371896120 100644
--- a/lisp/net/eww.el
+++ b/lisp/net/eww.el
@@ -269,8 +269,13 @@ word(s) will be searched for via `eww-search-prefix'."
   (let ((parsed (url-generic-parse-url url)))
     (when (url-host parsed)
       (unless (puny-highly-restrictive-domain-p (url-host parsed))
-        (setf (url-host parsed) (puny-encode-domain (url-host parsed)))
-        (setq url (url-recreate-url parsed)))))
+        (setf (url-host parsed) (puny-encode-domain (url-host parsed)))))
+    ;; When the URL is on the form "http://a/../../../g", chop off all
+    ;; the leading "/.."s.
+    (when (url-filename parsed)
+      (while (string-match "\\`/[.][.]/" (url-filename parsed))
+        (setf (url-filename parsed) (substring (url-filename parsed) 3))))
+    (setq url (url-recreate-url parsed)))
   (plist-put eww-data :url url)
   (plist-put eww-data :title "")
   (eww-update-header-line-format)