Remove invalid utf8 sequences from GET and POST.

src/CMakeLists.txt

@@ -27,6 +27,7 @@ add_executable(${PROJECT_NAME}
 	response_factory.cpp
 	list_highlight_langs.cpp
 	settings_bag.cpp
+	sanitized_utf8.cpp
 )
 
 configure_file(

src/cgi_environment_vars.cpp

@@ -17,6 +17,7 @@
 
 #include "cgi_environment_vars.hpp"
 #include "get_env.hpp"
+#include <utility>
 
 namespace tawashi {
 	std::vector<std::string> cgi_environment_vars() {
@@ -26,8 +27,8 @@ namespace tawashi {
 		retlist.reserve(CGIVars::_size());
 
 		for (CGIVars var : CGIVars::_values()) {
-			auto value = get_env_as<string_ref>(var._to_string(), "");
+			auto value = get_env_as<std::string>(var._to_string(), "");
-			retlist.push_back(std::string(value.data(), value.size()));
+			retlist.push_back(std::move(value));
 		}
 		return retlist;
 	}

src/cgi_post.cpp

@@ -19,6 +19,7 @@
 #include "cgi_env.hpp"
 #include "split_get_vars.hpp"
 #include "escapist.hpp"
+#include "sanitized_utf8.hpp"
 #include <iostream>
 #include <iterator>
 #include <algorithm>
@@ -48,6 +49,7 @@ namespace tawashi {
 						input_len,
 						std::back_inserter(original_data)
 					);
+					original_data = sanitized_utf8(original_data);
 
 					Escapist houdini;
 					for (auto& itm : split_env_vars(original_data)) {

src/get_env.cpp

@@ -17,26 +17,24 @@
 
 #include "get_env.hpp"
 #include "duckhandy/lexical_cast.hpp"
+#include "sanitized_utf8.hpp"
 #include <cstdlib>
 
 namespace tawashi {
-	boost::optional<boost::string_ref> get_env (const char* parName) {
+	boost::optional<std::string> get_env (const char* parName) {
 		using boost::string_ref;
 		using boost::make_optional;
 		using boost::optional;
 
 		const char* const raw_getvar = secure_getenv(parName);
-		return (raw_getvar ? make_optional(string_ref(raw_getvar)) : optional<string_ref>());
+		if (raw_getvar)
+			return sanitized_utf8(boost::string_ref(raw_getvar));
+		else
+			return optional<std::string>();
 	}
 
 	template <>
 	std::string get_env_as (const char* parName, const std::string& parDefault) {
-		auto var = get_env(parName);
-		return (var ? std::string(var->data(), var->size()) : parDefault);
-	}
-
-	template <>
-	boost::string_ref get_env_as (const char* parName, const boost::string_ref& parDefault) {
 		auto var = get_env(parName);
 		return (var ? *var : parDefault);
 	}

src/get_env.hpp

@@ -27,7 +27,7 @@
 #include <boost/optional.hpp>
 
 namespace tawashi {
-	boost::optional<boost::string_ref> get_env (const char* parName);
+	boost::optional<std::string> get_env (const char* parName);
 
 	template <typename A>
 	A get_env_as (const char* parName, const A& parDefault);
@@ -35,7 +35,5 @@ namespace tawashi {
 	template <>
 	std::string get_env_as (const char* parName, const std::string& parDefault);
 	template <>
-	boost::string_ref get_env_as (const char* parName, const boost::string_ref& parDefault);
-	template <>
 	std::size_t get_env_as (const char* parName, const std::size_t& parDefault);
 } //namespace tawashi

src/sanitized_utf8.cpp

@@ -0,0 +1,29 @@
+/* Copyright 2017, Michele Santullo
+ * This file is part of "tawashi".
+ *
+ * "tawashi" is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * "tawashi" is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with "tawashi".  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "sanitized_utf8.hpp"
+#include "utf8.h"
+#include <iterator>
+
+namespace tawashi {
+	std::string sanitized_utf8 (const boost::string_ref& parStr) {
+		std::string sanitized;
+		sanitized.reserve(parStr.size());
+		utf8::replace_invalid(parStr.begin(), parStr.end(), std::back_inserter(sanitized));
+		return sanitized;
+	}
+} //namespace tawashi

src/sanitized_utf8.hpp

@@ -0,0 +1,25 @@
+/* Copyright 2017, Michele Santullo
+ * This file is part of "tawashi".
+ *
+ * "tawashi" is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * "tawashi" is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with "tawashi".  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#pragma once
+
+#include <boost/utility/string_ref.hpp>
+#include <string>
+
+namespace tawashi {
+	std::string sanitized_utf8 (const boost::string_ref& parStr);
+} //namespace tawashi