From 1d67c30d1a23604a33306d1506b148f3b3c6f47a Mon Sep 17 00:00:00 2001
From: Jed Reynolds <jed@bitratchet.com>
Date: Tue, 1 Feb 2022 16:11:11 -0800
Subject: [PATCH] LFRequest.py: raise ValueError when provided a highly
 improbable URL/PATH combination.

This was triggered by a call to admin_up() that was passing self.lfclient_url as an un-named parameter, creating
unanswerable requests formatted like http://localhost:8080/http:/localhost:8080/. There should really only be
one http[s]*:// pattern in a URL, and further instances of colons should be URL encoded to %3A.

Signed-off-by: Jed Reynolds <jed@bitratchet.com>
---
 py-json/LANforge/LFRequest.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/py-json/LANforge/LFRequest.py b/py-json/LANforge/LFRequest.py
index 368e91a7..7fd89a7e 100644
--- a/py-json/LANforge/LFRequest.py
+++ b/py-json/LANforge/LFRequest.py
@@ -62,12 +62,19 @@ class LFRequest:
         #         print("LFRequest: proxies: ")
         #         pprint.pprint(self.proxies)
 
+        if url and uri and (url.startswith("http:/") or url.startswith("https:/"))\
+                and (uri.startswith("http:/") or uri.startswith("https:/")):
+            raise ValueError("URL and PATH are both URLs: url[%s] uri[%s]" % (url, uri))
+        if url and uri and uri.startswith("http:/"):
+            raise ValueError("URL is present and PATH is an URL: url[%s] uri[%s]" % (url, uri))
         if not url.startswith("http://") and not url.startswith("https://"):
             self.logger.warning("No http:// or https:// found, prepending http:// to " + url)
             url = "http://" + url
         if uri is not None:
             if not url.endswith('/') and not uri.startswith('/'):
                 url += '/'
+            if (uri.find("http:")>=0) or (uri.find("https:")>=0):
+                self.logger.warning("PATH contains an protocol that is not URL encoded: [%s]" % uri)
             self.requested_url = url + uri
         else:
             self.requested_url = url