Skip to content

Prevent double decoding of % in url params (#17997) #18001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Dec 16, 2021
Merged

Prevent double decoding of % in url params (#17997) #18001

merged 3 commits into from
Dec 16, 2021

Conversation

zeripath
Copy link
Contributor

Backport #17997

There was an unfortunate regression in #14293 which has led to the double decoding
of url parameter elements if they contain a '%'. This is due to an issue
with the way chi decodes its RoutePath. In detail the problem lies in
mux.go where the routeHTTP path uses the URL.RawPath or even the
URL.Path instead of the escaped path to do routing.

This PR simply forcibly sets the routePath to that of the EscapedPath.

Fix #17938

Signed-off-by: Andrew Thornton art27@cantab.net

@zeripath
Prevent double decoding of % in url params (go-gitea#17997)
7683429 
There was an unfortunate regression in go-gitea#14293 which has led to the double decoding
of url parameter elements if they contain a '%'. This is due to an issue
with the way chi decodes its RoutePath. In detail the problem lies in
mux.go where the routeHTTP path uses the URL.RawPath or even the
URL.Path instead of the escaped path to do routing.

This PR simply forcibly sets the routePath to that of the EscapedPath.

Fix go-gitea#17938

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath added this to the 1.15.8 milestone Dec 16, 2021
@GiteaBot GiteaBot added the lgtm/need 1 This PR needs approval from one additional maintainer to be merged. label Dec 16, 2021
@zeripath
Copy link
Contributor Author

ah interesting this patch doesn't work on 1.15...

@zeripath
Copy link
Contributor Author

Aha ! It works but the escaping fixes that I made to 1.16 aren't in 1.15

@zeripath
escape redirect
84d5924 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath
more test fixes
b049b72 
Signed-off-by: Andrew Thornton <art27@cantab.net>
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Dec 16, 2021
@techknowlogick techknowlogick merged commit 3a77465 into go-gitea:release/v1.15 Dec 16, 2021
@zeripath zeripath deleted the backport-17997-v1.15 branch December 17, 2021 13:39
zeripath added a commit to zeripath/gitea that referenced this pull request Dec 19, 2021
@zeripath
Changelog 1.15.8
6b6e5a3 
 ## [1.15.8](https://github.com/go-gitea/gitea/releases/tag/v1.15.8) - 2021-12-19

* BUGFIXES
  * Reset locale on login (go-gitea#18023) (go-gitea#18025)
  * Fix reset password email template (go-gitea#17025) (go-gitea#18022)
  * Fix outType on gitea dump (go-gitea#18000) (go-gitea#18016)
  * Ensure complexity, minlength and isPwned are checked on password setting (go-gitea#18005) (go-gitea#18015)
  * Fix rename notification bug (go-gitea#18011)
  * Prevent double decoding of % in url params  (go-gitea#17997) (go-gitea#18001)
  * Prevent hang in git cat-file if the repository is not a valid repository (Partial go-gitea#17991) (go-gitea#17992)
  * Prevent deadlock in create issue (go-gitea#17970) (go-gitea#17982)
* TESTING
  * Use non-expiring key. (go-gitea#17984) (go-gitea#17985)

Signed-off-by: Andrew Thornton <art27@cantab.net>
@zeripath zeripath mentioned this pull request Dec 19, 2021
Merged
lafriks pushed a commit that referenced this pull request Dec 20, 2021
@zeripath @6543
Changelog 1.15.8 (#18026)
6081948 
## [1.15.8](https://github.com/go-gitea/gitea/releases/tag/v1.15.8) - 2021-12-19

* BUGFIXES
  * Reset locale on login (#18023) (#18025)
  * Fix reset password email template (#17025) (#18022)
  * Fix outType on gitea dump (#18000) (#18016)
  * Ensure complexity, minlength and isPwned are checked on password setting (#18005) (#18015)
  * Fix rename notification bug (#18011)
  * Prevent double decoding of % in url params  (#17997) (#18001)
  * Prevent hang in git cat-file if the repository is not a valid repository (Partial #17991) (#17992)
  * Prevent deadlock in create issue (#17970) (#17982)
* TESTING
  * Use non-expiring key. (#17984) (#17985)

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update CHANGELOG.md

Co-authored-by: 6543 <6543@obermui.de>
@fnetX fnetX mentioned this pull request Dec 21, 2021
Closed
@zeripath zeripath added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Dec 22, 2021
@go-gitea go-gitea locked and limited conversation to collaborators Apr 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@KN4CK3R KN4CK3R KN4CK3R approved these changes

@jolheiser jolheiser jolheiser approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! type/bug
Projects
None yet
Milestone
1.15.8
Development

Successfully merging this pull request may close these issues.
5 participants
@zeripath @KN4CK3R @jolheiser @techknowlogick @GiteaBot