mirror of https://github.com/go-gitea/gitea.git
Prevent double decoding of % in url params (#17997)
There was an unfortunate regression in #14293 which has led to the double decoding of url parameter elements if they contain a '%'. This is due to an issue with the way chi decodes its RoutePath. In detail the problem lies in mux.go where the routeHTTP path uses the URL.RawPath or even the URL.Path instead of the escaped path to do routing. This PR simply forcibly sets the routePath to that of the EscapedPath. Fix #17938 Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
parent
e0e3ba6c12
commit
6e7d28cf3a
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -1 +1 @@
|
||||||
3a810dbf6b96afaa8c5f69a8b6ec1dabfca7368b
|
59e2c41e8f5140bb0182acebec17c8ad9831cc62
|
||||||
|
|
|
@ -6,6 +6,7 @@ package integrations
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"net/url"
|
||||||
"path"
|
"path"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
@ -159,6 +160,41 @@ func TestNonasciiBranches(t *testing.T) {
|
||||||
to: "tag/%D0%81/%E4%BA%BA",
|
to: "tag/%D0%81/%E4%BA%BA",
|
||||||
status: http.StatusOK,
|
status: http.StatusOK,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/%25%252525mightnotplaywell",
|
||||||
|
to: "branch/Plus+Is+Not+Space/%25%252525mightnotplaywell",
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
|
||||||
|
to: "branch/Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
|
||||||
|
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/10%25.md",
|
||||||
|
to: "branch/Plus+Is+Not+Space/10%25.md",
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
|
||||||
|
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
|
||||||
|
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
from: "Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
|
||||||
|
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
|
||||||
|
status: http.StatusOK,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
defer prepareTestEnv(t)()
|
defer prepareTestEnv(t)()
|
||||||
|
|
|
@ -609,6 +609,10 @@ func Contexter() func(next http.Handler) http.Handler {
|
||||||
var locale = middleware.Locale(resp, req)
|
var locale = middleware.Locale(resp, req)
|
||||||
var startTime = time.Now()
|
var startTime = time.Now()
|
||||||
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
|
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
|
||||||
|
|
||||||
|
chiCtx := chi.RouteContext(req.Context())
|
||||||
|
chiCtx.RoutePath = req.URL.EscapedPath()
|
||||||
|
|
||||||
var ctx = Context{
|
var ctx = Context{
|
||||||
Resp: NewResponse(resp),
|
Resp: NewResponse(resp),
|
||||||
Cache: mc.GetCache(),
|
Cache: mc.GetCache(),
|
||||||
|
|
Loading…
Reference in New Issue