char *FCGI_URLDecode(char *buf)
{
char *head = buf, *tail = buf;
- char hex[3] = {0};
+ char val, hex[3] = {0};
while (*tail) {
if (*tail == '%') { //%hh hex to char
if (isxdigit(*tail) && isxdigit(*(tail+1))) {
hex[0] = *tail++;
hex[1] = *tail++;
- *head++ = (char)strtol(hex, NULL, 16);
+ char val = (char)strtol(hex, NULL, 16);
+ //Control codes --> Space character
+ *head++ = (val < 0x20) ? 0x20 : val;
} else { //Not valid format; keep original
head++;
}
//strncpy doesn't zero-truncate properly
snprintf(module, BUFSIZ, "%s", getenv("DOCUMENT_URI_LOCAL"));
- //Read from post body. If not empty, try GET instead.
- if (fgets(params, BUFSIZ, stdin) == NULL || *params == '\0') {
- snprintf(params, BUFSIZ, "%s", getenv("QUERY_STRING"));
- }
+ //Get the GET query string
+ snprintf(params, BUFSIZ, "%s", getenv("QUERY_STRING"));
//URL decode the parameters
FCGI_URLDecode(params);
//Escape all special characters.
//Don't escape for login (password may have special chars?)
FCGI_EscapeText(params);
+ } else { //Only for Login handler.
+ //If GET data is empty, use POST instead.
+ if (*params == '\0') {
+ Log(LOGDEBUG, "Using POST!");
+ fgets(params, BUFSIZ, stdin);
+ FCGI_URLDecode(params);
+ }
}
module_handler(&context, params);