Prevent double decoding of % in url params (#17997) (#18001)

release/v1.15
zeripath 2021-12-16 23:03:20 +00:00 committed by GitHub
parent fc8c23edb7
commit 3a77465e4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 47 additions and 7 deletions

View File

@ -1 +1 @@
3a810dbf6b96afaa8c5f69a8b6ec1dabfca7368b
59e2c41e8f5140bb0182acebec17c8ad9831cc62

View File

@ -6,6 +6,7 @@ package integrations
import (
"net/http"
"net/url"
"path"
"testing"
@ -83,7 +84,7 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "Plus+Is+Not+Space/Файл.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK,
},
{
@ -114,7 +115,7 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "タグ/ファイル.md",
to: "tag/%e3%82%bf%e3%82%b0/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md",
to: "tag/%e3%82%bf%e3%82%b0/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
status: http.StatusOK,
},
// Files
@ -125,12 +126,12 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "Файл.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK,
},
{
from: "ファイル.md",
to: "branch/Plus+Is+Not+Space/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md",
to: "branch/Plus+Is+Not+Space/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
status: http.StatusNotFound, // it's not on default branch
},
// Same but url-encoded (few tests)
@ -146,7 +147,7 @@ func TestNonasciiBranches(t *testing.T) {
},
{
from: "%D0%A4%D0%B0%D0%B9%D0%BB.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK,
},
{
@ -159,6 +160,41 @@ func TestNonasciiBranches(t *testing.T) {
to: "tag/%d0%81/%e4%ba%ba",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/%25%252525mightnotplaywell",
to: "branch/Plus+Is+Not+Space/%25%252525mightnotplaywell",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
to: "branch/Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/10%25.md",
to: "branch/Plus+Is+Not+Space/10%25.md",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
status: http.StatusOK,
},
}
defer prepareTestEnv(t)()

View File

@ -669,6 +669,10 @@ func Contexter() func(next http.Handler) http.Handler {
var locale = middleware.Locale(resp, req)
var startTime = time.Now()
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
chiCtx := chi.RouteContext(req.Context())
chiCtx.RoutePath = req.URL.EscapedPath()
var ctx = Context{
Resp: NewResponse(resp),
Cache: mc.GetCache(),

View File

@ -833,7 +833,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context
setting.AppSubURL,
strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*")),
ctx.Repo.BranchNameSubURL(),
ctx.Repo.TreePath))
util.PathEscapeSegments(ctx.Repo.TreePath)))
return
}
}