Browse Source

Prevent double decoding of % in url params (#17997)

There was an unfortunate regression in #14293 which has led to the double decoding
of url parameter elements if they contain a '%'. This is due to an issue
with the way chi decodes its RoutePath. In detail the problem lies in
mux.go where the routeHTTP path uses the URL.RawPath or even the
URL.Path instead of the escaped path to do routing.

This PR simply forcibly sets the routePath to that of the EscapedPath.

Fix #17938

Signed-off-by: Andrew Thornton <art27@cantab.net>
tags/v1.16.0-rc1
zeripath 3 years ago committed by GitHub
parent
commit
6e7d28cf3a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/4c/61dd0a799e0830e77edfe6c74f7c349bc8e62a
  2. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/50/4d9fe743979d4e9785a25a363c7007293f0838
  3. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/59/e2c41e8f5140bb0182acebec17c8ad9831cc62
  4. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/64/89894ad11093fdc49c0ed857d80682344a7264
  5. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/84/7c6d93c6860dd377651245711b7fbcd34a18d4
  6. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/9b/9cc8f558d1c4f815592496fa24308ba2a9c824
  7. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/a4/f1bb3f2f8c6a0e840e935812ef4903ce515dad
  8. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/c7/85b65bf16928b58567cb23669125c0ccd25a4f
  9. BIN
      integrations/gitea-repositories-meta/user2/utf8.git/objects/e9/63733b8a355cf860c465b4af7b236a6ef08783
  10. 2
      integrations/gitea-repositories-meta/user2/utf8.git/refs/heads/Plus+Is+Not+Space
  11. 36
      integrations/nonascii_branches_test.go
  12. 4
      modules/context/context.go

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/4c/61dd0a799e0830e77edfe6c74f7c349bc8e62a

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/50/4d9fe743979d4e9785a25a363c7007293f0838

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/59/e2c41e8f5140bb0182acebec17c8ad9831cc62

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/64/89894ad11093fdc49c0ed857d80682344a7264

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/84/7c6d93c6860dd377651245711b7fbcd34a18d4

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/9b/9cc8f558d1c4f815592496fa24308ba2a9c824

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/a4/f1bb3f2f8c6a0e840e935812ef4903ce515dad

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/c7/85b65bf16928b58567cb23669125c0ccd25a4f

Binary file not shown.

BIN
integrations/gitea-repositories-meta/user2/utf8.git/objects/e9/63733b8a355cf860c465b4af7b236a6ef08783

Binary file not shown.

2
integrations/gitea-repositories-meta/user2/utf8.git/refs/heads/Plus+Is+Not+Space

@ -1 +1 @@
3a810dbf6b96afaa8c5f69a8b6ec1dabfca7368b 59e2c41e8f5140bb0182acebec17c8ad9831cc62

36
integrations/nonascii_branches_test.go

@ -6,6 +6,7 @@ package integrations
import ( import (
"net/http" "net/http"
"net/url"
"path" "path"
"testing" "testing"
@ -159,6 +160,41 @@ func TestNonasciiBranches(t *testing.T) {
to: "tag/%D0%81/%E4%BA%BA", to: "tag/%D0%81/%E4%BA%BA",
status: http.StatusOK, status: http.StatusOK,
}, },
{
from: "Plus+Is+Not+Space/%25%252525mightnotplaywell",
to: "branch/Plus+Is+Not+Space/%25%252525mightnotplaywell",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
to: "branch/Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/10%25.md",
to: "branch/Plus+Is+Not+Space/10%25.md",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
status: http.StatusOK,
},
} }
defer prepareTestEnv(t)() defer prepareTestEnv(t)()

4
modules/context/context.go

@ -609,6 +609,10 @@ func Contexter() func(next http.Handler) http.Handler {
var locale = middleware.Locale(resp, req) var locale = middleware.Locale(resp, req)
var startTime = time.Now() var startTime = time.Now()
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/") var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
chiCtx := chi.RouteContext(req.Context())
chiCtx.RoutePath = req.URL.EscapedPath()
var ctx = Context{ var ctx = Context{
Resp: NewResponse(resp), Resp: NewResponse(resp),
Cache: mc.GetCache(), Cache: mc.GetCache(),

Loading…
Cancel
Save