Prevent double decoding of % in url params (#17997) (#18001)

release/v1.15
zeripath 2021-12-16 23:03:20 +00:00 committed by GitHub
parent fc8c23edb7
commit 3a77465e4e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 47 additions and 7 deletions

View File

@ -1 +1 @@
3a810dbf6b96afaa8c5f69a8b6ec1dabfca7368b 59e2c41e8f5140bb0182acebec17c8ad9831cc62

View File

@ -6,6 +6,7 @@ package integrations
import ( import (
"net/http" "net/http"
"net/url"
"path" "path"
"testing" "testing"
@ -83,7 +84,7 @@ func TestNonasciiBranches(t *testing.T) {
}, },
{ {
from: "Plus+Is+Not+Space/Файл.md", from: "Plus+Is+Not+Space/Файл.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md", to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK, status: http.StatusOK,
}, },
{ {
@ -114,7 +115,7 @@ func TestNonasciiBranches(t *testing.T) {
}, },
{ {
from: "タグ/ファイル.md", from: "タグ/ファイル.md",
to: "tag/%e3%82%bf%e3%82%b0/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md", to: "tag/%e3%82%bf%e3%82%b0/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
status: http.StatusOK, status: http.StatusOK,
}, },
// Files // Files
@ -125,12 +126,12 @@ func TestNonasciiBranches(t *testing.T) {
}, },
{ {
from: "Файл.md", from: "Файл.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md", to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK, status: http.StatusOK,
}, },
{ {
from: "ファイル.md", from: "ファイル.md",
to: "branch/Plus+Is+Not+Space/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md", to: "branch/Plus+Is+Not+Space/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
status: http.StatusNotFound, // it's not on default branch status: http.StatusNotFound, // it's not on default branch
}, },
// Same but url-encoded (few tests) // Same but url-encoded (few tests)
@ -146,7 +147,7 @@ func TestNonasciiBranches(t *testing.T) {
}, },
{ {
from: "%D0%A4%D0%B0%D0%B9%D0%BB.md", from: "%D0%A4%D0%B0%D0%B9%D0%BB.md",
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md", to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
status: http.StatusOK, status: http.StatusOK,
}, },
{ {
@ -159,6 +160,41 @@ func TestNonasciiBranches(t *testing.T) {
to: "tag/%d0%81/%e4%ba%ba", to: "tag/%d0%81/%e4%ba%ba",
status: http.StatusOK, status: http.StatusOK,
}, },
{
from: "Plus+Is+Not+Space/%25%252525mightnotplaywell",
to: "branch/Plus+Is+Not+Space/%25%252525mightnotplaywell",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
to: "branch/Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/10%25.md",
to: "branch/Plus+Is+Not+Space/10%25.md",
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
status: http.StatusOK,
},
{
from: "Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
status: http.StatusOK,
},
} }
defer prepareTestEnv(t)() defer prepareTestEnv(t)()

View File

@ -669,6 +669,10 @@ func Contexter() func(next http.Handler) http.Handler {
var locale = middleware.Locale(resp, req) var locale = middleware.Locale(resp, req)
var startTime = time.Now() var startTime = time.Now()
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/") var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
chiCtx := chi.RouteContext(req.Context())
chiCtx.RoutePath = req.URL.EscapedPath()
var ctx = Context{ var ctx = Context{
Resp: NewResponse(resp), Resp: NewResponse(resp),
Cache: mc.GetCache(), Cache: mc.GetCache(),

View File

@ -833,7 +833,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context
setting.AppSubURL, setting.AppSubURL,
strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*")), strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*")),
ctx.Repo.BranchNameSubURL(), ctx.Repo.BranchNameSubURL(),
ctx.Repo.TreePath)) util.PathEscapeSegments(ctx.Repo.TreePath)))
return return
} }
} }