Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Special URL will cause URL Malformed error which broke the asterisk match, this especially impact SSR mode. #2722

Closed
zslucky opened this issue Apr 17, 2019 · 6 comments
Closed

Special URL will cause URL Malformed error which broke the asterisk match, this especially impact SSR mode. #2722

zslucky opened this issue Apr 17, 2019 · 6 comments
Labels
has workaround

Comments

@zslucky
Copy link

zslucky commented Apr 17, 2019
edited
Loading

Version

3.0.6

Reproduction link

https://codesandbox.io/s/wq6llvoxr7?fontsize=14

Steps to reproduce

  1. Config a simple router. (this step can be finished by using vue-cli, can quickly create a project with vue-router)
router = [
  { path: '/', component: 'home' },
  { path: '*', component: '404' },
]
  1. Using follow url in browser address bar. http://localhost:3000/a'a'b"c>%3f>%25%7D%7D%25%25>c<[[%3f$%7B%7B%25%7D%7Dcake//property

What is expected?

  1. In SPA, it should match 404 page which I configured.
  2. In SSR mode, it also should return the correct matched info.

What is actually happening?

  1. In SPA, got js error and blocked app.
  2. In SSR mode, can only handle error, can't render correct page.

This url will cause SSR can't render correct asterisk matched page.
@posva
Copy link
Member

posva commented Apr 17, 2019

Duplicate of #2719
Is fixed in #2723 :)

@posva posva closed this as completed Apr 17, 2019
@zslucky
Copy link
Author

zslucky commented Apr 18, 2019

@posva Sorry, Looks like not same issue, please double-check my issue, thanks so much.

@zslucky
Copy link
Author

zslucky commented Apr 18, 2019

@posva I think every url can be matched in asterisk match rule.

@posva
Copy link
Member

posva commented Apr 18, 2019 via email

@posva
Copy link
Member

posva commented Apr 18, 2019
edited
Loading

Okay, so the problem comes from %25 which is % encoded, that's the one causing the error. Right now it is decoded so users can use the decoded versions of their urls but things are a bit different with asterisk routes where things are not decoded. There are currently multiple problems if we try to decode the %25, it would create problems in other places and also in different browsers because IE doesn't implement the same standard for percents.
For the moment it would be quite difficult to fix this in the current version of Vue router but still possible. For the next version it's something I do take into consideration

Right now you would have to escape the %25 with something like %2525 and then decode that in your code to get the real value

I will create another issue to track the problem with %

Edit: this should be fixale in current version. I was confused with problems regarding query params which are encoded differently

@zslucky
Copy link
Author

zslucky commented Apr 19, 2019

@posva Hi, thanks so much, this special URL is provided by someone who was scanning my website and try to find vulnerability. So i can't avoid to use this url.

I attempted to investigate the code, decodeURIComponent throw this error, maybe we can only catch it and find is there an global match, if that we can router to this match.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
has workaround
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@posva @zslucky