-
-
Notifications
You must be signed in to change notification settings - Fork 5.8k
Prevent double decoding of % in url params (#17997) #18001
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
techknowlogick
merged 3 commits into
go-gitea:release/v1.15
from
zeripath:backport-17997-v1.15
Dec 16, 2021
Merged
Prevent double decoding of % in url params (#17997) #18001
techknowlogick
merged 3 commits into
go-gitea:release/v1.15
from
zeripath:backport-17997-v1.15
Dec 16, 2021
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was an unfortunate regression in go-gitea#14293 which has led to the double decoding of url parameter elements if they contain a '%'. This is due to an issue with the way chi decodes its RoutePath. In detail the problem lies in mux.go where the routeHTTP path uses the URL.RawPath or even the URL.Path instead of the escaped path to do routing. This PR simply forcibly sets the routePath to that of the EscapedPath. Fix go-gitea#17938 Signed-off-by: Andrew Thornton <art27@cantab.net>
jolheiser
approved these changes
Dec 16, 2021
ah interesting this patch doesn't work on 1.15... |
Aha ! It works but the escaping fixes that I made to 1.16 aren't in 1.15 |
Signed-off-by: Andrew Thornton <art27@cantab.net>
Signed-off-by: Andrew Thornton <art27@cantab.net>
KN4CK3R
approved these changes
Dec 16, 2021
zeripath
added a commit
to zeripath/gitea
that referenced
this pull request
Dec 19, 2021
## [1.15.8](https://github.com/go-gitea/gitea/releases/tag/v1.15.8) - 2021-12-19 * BUGFIXES * Reset locale on login (go-gitea#18023) (go-gitea#18025) * Fix reset password email template (go-gitea#17025) (go-gitea#18022) * Fix outType on gitea dump (go-gitea#18000) (go-gitea#18016) * Ensure complexity, minlength and isPwned are checked on password setting (go-gitea#18005) (go-gitea#18015) * Fix rename notification bug (go-gitea#18011) * Prevent double decoding of % in url params (go-gitea#17997) (go-gitea#18001) * Prevent hang in git cat-file if the repository is not a valid repository (Partial go-gitea#17991) (go-gitea#17992) * Prevent deadlock in create issue (go-gitea#17970) (go-gitea#17982) * TESTING * Use non-expiring key. (go-gitea#17984) (go-gitea#17985) Signed-off-by: Andrew Thornton <art27@cantab.net>
Merged
lafriks
pushed a commit
that referenced
this pull request
Dec 20, 2021
## [1.15.8](https://github.com/go-gitea/gitea/releases/tag/v1.15.8) - 2021-12-19 * BUGFIXES * Reset locale on login (#18023) (#18025) * Fix reset password email template (#17025) (#18022) * Fix outType on gitea dump (#18000) (#18016) * Ensure complexity, minlength and isPwned are checked on password setting (#18005) (#18015) * Fix rename notification bug (#18011) * Prevent double decoding of % in url params (#17997) (#18001) * Prevent hang in git cat-file if the repository is not a valid repository (Partial #17991) (#17992) * Prevent deadlock in create issue (#17970) (#17982) * TESTING * Use non-expiring key. (#17984) (#17985) Signed-off-by: Andrew Thornton <art27@cantab.net> * Update CHANGELOG.md Co-authored-by: 6543 <6543@obermui.de>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
lgtm/done
This PR has enough approvals to get merged. There are no important open reservations anymore.
topic/security
Something leaks user information or is otherwise vulnerable. Should be fixed!
type/bug
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #17997
There was an unfortunate regression in #14293 which has led to the double decoding
of url parameter elements if they contain a '%'. This is due to an issue
with the way chi decodes its RoutePath. In detail the problem lies in
mux.go where the routeHTTP path uses the URL.RawPath or even the
URL.Path instead of the escaped path to do routing.
This PR simply forcibly sets the routePath to that of the EscapedPath.
Fix #17938
Signed-off-by: Andrew Thornton art27@cantab.net