Browse Source

Prevent double decoding of % in url params (#17997) (#18001)

tags/v1.15.8
zeripath 4 years ago committed by GitHub
parent
commit
3a77465e4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/4c/61dd0a799e0830e77edfe6c74f7c349bc8e62a
  2. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/50/4d9fe743979d4e9785a25a363c7007293f0838
  3. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/59/e2c41e8f5140bb0182acebec17c8ad9831cc62
  4. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/64/89894ad11093fdc49c0ed857d80682344a7264
  5. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/84/7c6d93c6860dd377651245711b7fbcd34a18d4
  6. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/9b/9cc8f558d1c4f815592496fa24308ba2a9c824
  7. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/a4/f1bb3f2f8c6a0e840e935812ef4903ce515dad
  8. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/c7/85b65bf16928b58567cb23669125c0ccd25a4f
  9. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/e9/63733b8a355cf860c465b4af7b236a6ef08783
  10. 2
      integrations/gitea-repositories-meta/user2/utf8.git/refs/heads/Plus+Is+Not+Space
  11. 46
      integrations/nonascii_branches_test.go
  12. 4
      modules/context/context.go
  13. 2
      modules/context/repo.go

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/4c/61dd0a799e0830e77edfe6c74f7c349bc8e62a

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/50/4d9fe743979d4e9785a25a363c7007293f0838

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/59/e2c41e8f5140bb0182acebec17c8ad9831cc62

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/64/89894ad11093fdc49c0ed857d80682344a7264

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/84/7c6d93c6860dd377651245711b7fbcd34a18d4

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/9b/9cc8f558d1c4f815592496fa24308ba2a9c824

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/a4/f1bb3f2f8c6a0e840e935812ef4903ce515dad

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/c7/85b65bf16928b58567cb23669125c0ccd25a4f

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/e9/63733b8a355cf860c465b4af7b236a6ef08783

Binary file not shown.

2
integrations/gitea-repositories-meta/user2/utf8.git/refs/heads/Plus+Is+Not+Space

@ -1 +1 @@
3a810dbf6b96afaa8c5f69a8b6ec1dabfca7368b
59e2c41e8f5140bb0182acebec17c8ad9831cc62

46
integrations/nonascii_branches_test.go

@ -6,6 +6,7 @@ package integrations
import (
"net/http"
"net/url"
"path"
"testing"
@ -83,7 +84,7 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "Plus+Is+Not+Space/Файл.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK,
},
{
@ -114,7 +115,7 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "タグ/ファイル.md",
to: "tag/%e3%82%bf%e3%82%b0/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md",
to: "tag/%e3%82%bf%e3%82%b0/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
status: http.StatusOK,
},
// Files
@ -125,12 +126,12 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "Файл.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK,
},
{
from: "ファイル.md",
to: "branch/Plus+Is+Not+Space/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md",
to: "branch/Plus+Is+Not+Space/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
status: http.StatusNotFound, // it's not on default branch
},
// Same but url-encoded (few tests)
@ -146,7 +147,7 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "%D0%A4%D0%B0%D0%B9%D0%BB.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK,
},
{
@ -159,6 +160,41 @@ func TestNonasciiBranches(t *testing.T) {
to: "tag/%d0%81/%e4%ba%ba",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/%25%252525mightnotplaywell",
to: "branch/Plus+Is+Not+Space/%25%252525mightnotplaywell",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
to: "branch/Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/10%25.md",
to: "branch/Plus+Is+Not+Space/10%25.md",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
status: http.StatusOK,
},
}
defer prepareTestEnv(t)()

4
modules/context/context.go

@ -669,6 +669,10 @@ func Contexter() func(next http.Handler) http.Handler {
var locale = middleware.Locale(resp, req)
var startTime = time.Now()
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
chiCtx := chi.RouteContext(req.Context())
chiCtx.RoutePath = req.URL.EscapedPath()
var ctx = Context{
Resp: NewResponse(resp),
Cache: mc.GetCache(),

2
modules/context/repo.go

@ -833,7 +833,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context
setting.AppSubURL,
strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*")),
ctx.Repo.BranchNameSubURL(),
ctx.Repo.TreePath))
util.PathEscapeSegments(ctx.Repo.TreePath)))
return
}
}

Loading…
Cancel
Save