Skip to content

Commit 3a77465

Browse files
zeripathzeripath
authored
Prevent double decoding of % in url params (#17997) (#18001)
1 parent fc8c23e commit 3a77465

13 files changed

+47
-7
lines changed

integrations/gitea-repositories-meta/user2/utf8.git/objects/4c/61dd0a799e0830e77edfe6c74f7c349bc8e62a

40 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/50/4d9fe743979d4e9785a25a363c7007293f0838

40 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/59/e2c41e8f5140bb0182acebec17c8ad9831cc62

847 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/64/89894ad11093fdc49c0ed857d80682344a7264

39 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/84/7c6d93c6860dd377651245711b7fbcd34a18d4

41 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/9b/9cc8f558d1c4f815592496fa24308ba2a9c824

47 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/a4/f1bb3f2f8c6a0e840e935812ef4903ce515dad

394 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/c7/85b65bf16928b58567cb23669125c0ccd25a4f

44 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/objects/e9/63733b8a355cf860c465b4af7b236a6ef08783

47 Bytes
Binary file not shown.

integrations/gitea-repositories-meta/user2/utf8.git/refs/heads/Plus+Is+Not+Space

+1-1
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
3a810dbf6b96afaa8c5f69a8b6ec1dabfca7368b
1+
59e2c41e8f5140bb0182acebec17c8ad9831cc62

integrations/nonascii_branches_test.go

+41-5
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ package integrations
66

77
import (
88
"net/http"
9+
"net/url"
910
"path"
1011
"testing"
1112

@@ -83,7 +84,7 @@ func TestNonasciiBranches(t *testing.T) {
8384
},
8485
{
8586
from: "Plus+Is+Not+Space/Файл.md",
86-
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
87+
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
8788
status: http.StatusOK,
8889
},
8990
{
@@ -114,7 +115,7 @@ func TestNonasciiBranches(t *testing.T) {
114115
},
115116
{
116117
from: "タグ/ファイル.md",
117-
to: "tag/%e3%82%bf%e3%82%b0/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md",
118+
to: "tag/%e3%82%bf%e3%82%b0/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
118119
status: http.StatusOK,
119120
},
120121
// Files
@@ -125,12 +126,12 @@ func TestNonasciiBranches(t *testing.T) {
125126
},
126127
{
127128
from: "Файл.md",
128-
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
129+
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
129130
status: http.StatusOK,
130131
},
131132
{
132133
from: "ファイル.md",
133-
to: "branch/Plus+Is+Not+Space/%e3%83%95%e3%82%a1%e3%82%a4%e3%83%ab.md",
134+
to: "branch/Plus+Is+Not+Space/%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB.md",
134135
status: http.StatusNotFound, // it's not on default branch
135136
},
136137
// Same but url-encoded (few tests)
@@ -146,7 +147,7 @@ func TestNonasciiBranches(t *testing.T) {
146147
},
147148
{
148149
from: "%D0%A4%D0%B0%D0%B9%D0%BB.md",
149-
to: "branch/Plus+Is+Not+Space/%d0%a4%d0%b0%d0%b9%d0%bb.md",
150+
to: "branch/Plus+Is+Not+Space/%D0%A4%D0%B0%D0%B9%D0%BB.md",
150151
status: http.StatusOK,
151152
},
152153
{
@@ -159,6 +160,41 @@ func TestNonasciiBranches(t *testing.T) {
159160
to: "tag/%d0%81/%e4%ba%ba",
160161
status: http.StatusOK,
161162
},
163+
{
164+
from: "Plus+Is+Not+Space/%25%252525mightnotplaywell",
165+
to: "branch/Plus+Is+Not+Space/%25%252525mightnotplaywell",
166+
status: http.StatusOK,
167+
},
168+
{
169+
from: "Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
170+
to: "branch/Plus+Is+Not+Space/%25253Fisnotaquestion%25253F",
171+
status: http.StatusOK,
172+
},
173+
{
174+
from: "Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
175+
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("%3Fis?and#afile"),
176+
status: http.StatusOK,
177+
},
178+
{
179+
from: "Plus+Is+Not+Space/10%25.md",
180+
to: "branch/Plus+Is+Not+Space/10%25.md",
181+
status: http.StatusOK,
182+
},
183+
{
184+
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
185+
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%20has 1space"),
186+
status: http.StatusOK,
187+
},
188+
{
189+
from: "Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
190+
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("This+file%2520has 2 spaces"),
191+
status: http.StatusOK,
192+
},
193+
{
194+
from: "Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
195+
to: "branch/Plus+Is+Not+Space/" + url.PathEscape("£15&$6.txt"),
196+
status: http.StatusOK,
197+
},
162198
}
163199

164200
defer prepareTestEnv(t)()

modules/context/context.go

+4
Original file line numberDiff line numberDiff line change
@@ -669,6 +669,10 @@ func Contexter() func(next http.Handler) http.Handler {
669669
var locale = middleware.Locale(resp, req)
670670
var startTime = time.Now()
671671
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
672+
673+
chiCtx := chi.RouteContext(req.Context())
674+
chiCtx.RoutePath = req.URL.EscapedPath()
675+
672676
var ctx = Context{
673677
Resp: NewResponse(resp),
674678
Cache: mc.GetCache(),

modules/context/repo.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -833,7 +833,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context
833833
setting.AppSubURL,
834834
strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*")),
835835
ctx.Repo.BranchNameSubURL(),
836-
ctx.Repo.TreePath))
836+
util.PathEscapeSegments(ctx.Repo.TreePath)))
837837
return
838838
}
839839
}

0 commit comments

Comments
 (0)