From 4d92488ed8548e1f9daabc0a4e87ed1d2c6d4e77 Mon Sep 17 00:00:00 2001
From: Marc Worrell <marc@worrell.nl>
Date: Tue, 18 May 2021 15:08:30 +0200
Subject: [PATCH] Give a 400 error on illegal percent encoding. (#27)

---
 src/cowmachine.erl      | 3 +++
 src/cowmachine_util.erl | 7 +++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/cowmachine.erl b/src/cowmachine.erl
index af66698..dece76e 100644
--- a/src/cowmachine.erl
+++ b/src/cowmachine.erl
@@ -99,6 +99,9 @@ request_1(Controller, Req, Env, Options, Context) ->
             handle_stop_request(ResponseCode, Site, undefined, Req, Env, State, Context);
         throw:{stop_request, ResponseCode} when is_integer(ResponseCode) ->
             {stop, cowboy_req:reply(ResponseCode, Req)};
+        throw:invalid_percent_encoding ->
+            log(#{ at => ?AT, level => error, code => 400, text => "Illegal percent encoding" }, Req),
+            {stop, cowboy_req:reply(400, Req)};
         throw:Reason:Stacktrace ->
             log(#{ at => ?AT, level => error, code => 500, text => "Unexpected throw",
                    class => throw, reason => Reason,
diff --git a/src/cowmachine_util.erl b/src/cowmachine_util.erl
index b8f69f4..85279f6 100644
--- a/src/cowmachine_util.erl
+++ b/src/cowmachine_util.erl
@@ -311,7 +311,9 @@ parse_qs_value(<< $&, Rest/bits >>, Acc, Name, Value) ->
 parse_qs_value(<< C, Rest/bits >>, Acc, Name, Value) when C =/= $% ->
     parse_qs_value(Rest, Acc, Name, << Value/bits, C >>);
 parse_qs_value(<<>>, Acc, Name, Value) ->
-    lists:reverse([{Name, Value}|Acc]).
+    lists:reverse([{Name, Value}|Acc]);
+parse_qs_value(_Rest, _Acc, _Name, _Value) ->
+    throw(invalid_percent_encoding).
 
 unhex($0) ->  0;
 unhex($1) ->  1;
@@ -334,7 +336,8 @@ unhex($b) -> 11;
 unhex($c) -> 12;
 unhex($d) -> 13;
 unhex($e) -> 14;
-unhex($f) -> 15.
+unhex($f) -> 15;
+unhex(_) -> throw(invalid_percent_encoding).
 
 
 %% author Bob Ippolito <bob@mochimedia.com>