Skip to content

Commit

Permalink
Resolve URL encoding bug
Browse files Browse the repository at this point in the history 
Closes #2495
  • Loading branch information
@stickz
stickz committed Apr 27, 2023
1 parent e03b5a2 commit b0f3ab4
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
3 changes: 2 additions & 1 deletion js/rtorrent.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -317,7 +317,8 @@ rTorrentStub.prototype.list = function()

rTorrentStub.prototype.setuisettings = function()
{
this.content = "v="+encodeURIComponent(this.vs[0]);
// encodeURIComponent is called inside webui.js to avoid injection
this.content = "v="+this.vs[0];
this.mountPoint = theURLs.SetSettingsURL;
this.contentType = "application/x-www-form-urlencoded";
this.dataType = "text";
Expand Down
3 changes: 2 additions & 1 deletion js/webui.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -915,7 +915,8 @@ var theWebUI =
if((/^webui\./).test(i))
cookie[i] = v;
}
theWebUI.request("?action=setuisettings&v=" + JSON.stringify(cookie),reply);
// We must encode the URL here to avoid injection with the "&" symbol from search results
theWebUI.request("?action=setuisettings&v=" + encodeURIComponent(JSON.stringify(cookie),reply));
},

//
Expand Down

0 comments on commit b0f3ab4

Please sign in to comment.