diff --git a/src/auth.go b/src/auth.go index d397940..ccc98fc 100644 --- a/src/auth.go +++ b/src/auth.go @@ -65,10 +65,14 @@ func GetHost(r *http.Request) (string, error) { return host, nil } +func IsValidProjectName(name string) bool { + return !strings.HasPrefix(name, ".") && !strings.Contains(name, "%") +} + func GetProjectName(r *http.Request) (string, error) { // path must be either `/` or `/foo/` (`/foo` is accepted as an alias) path := strings.TrimPrefix(strings.TrimSuffix(r.URL.Path, "/"), "/") - if path == ".index" || strings.HasPrefix(path, ".index/") { + if !IsValidProjectName(path) { return "", AuthError{http.StatusBadRequest, fmt.Sprintf("directory name %q is reserved", ".index")} } else if strings.Contains(path, "/") { diff --git a/src/pages.go b/src/pages.go index fe97387..cd9f2f7 100644 --- a/src/pages.go +++ b/src/pages.go @@ -132,18 +132,20 @@ func getPage(w http.ResponseWriter, r *http.Request) error { err = nil sitePath = strings.TrimPrefix(r.URL.Path, "/") if projectName, projectPath, hasProjectSlash := strings.Cut(sitePath, "/"); projectName != "" { - var projectManifest *Manifest - var projectMetadata ManifestMetadata - projectManifest, projectMetadata, err = backend.GetManifest( - r.Context(), makeWebRoot(host, projectName), - GetManifestOptions{BypassCache: bypassCache}, - ) - if err == nil { - if !hasProjectSlash { - writeRedirect(w, http.StatusFound, r.URL.Path+"/") - return nil + if IsValidProjectName(projectName) { + var projectManifest *Manifest + var projectMetadata ManifestMetadata + projectManifest, projectMetadata, err = backend.GetManifest( + r.Context(), makeWebRoot(host, projectName), + GetManifestOptions{BypassCache: bypassCache}, + ) + if err == nil { + if !hasProjectSlash { + writeRedirect(w, http.StatusFound, r.URL.Path+"/") + return nil + } + sitePath, manifest, metadata = projectPath, projectManifest, projectMetadata } - sitePath, manifest, metadata = projectPath, projectManifest, projectMetadata } } if manifest == nil && (err == nil || errors.Is(err, ErrObjectNotFound)) {