URL decode data after splitting the arguments

Data decoding should happen after the parsing if not, a '?', '&', '#'
or other character decoded will interfere with the parsing. e.g. the
users password contains a '&', then it is truncated on that character,
and login will fail.
This commit is contained in:
Nicolai Dagestad 2024-09-15 15:03:21 +02:00
parent 31ce1af736
commit ba5cbb6d82
4 changed files with 9 additions and 16 deletions

View file

@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path,
} }
else else
if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) { if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) {
xs *upl = xs_url_dec(payload); args = xs_url_vars(payload);
args = xs_url_vars(upl);
} }
else else
args = xs_dup(xs_dict_get(req, "p_vars")); args = xs_dup(xs_dict_get(req, "p_vars"));
@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path,
{ {
// Some apps send form data instead of json so we should cater for those // Some apps send form data instead of json so we should cater for those
if (!xs_is_null(payload)) { if (!xs_is_null(payload)) {
xs *upl = xs_url_dec(payload); args = xs_url_vars(payload);
args = xs_url_vars(upl);
} }
} }
else else
@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path,
{ {
// Some apps send form data instead of json so we should cater for those // Some apps send form data instead of json so we should cater for those
if (!xs_is_null(payload)) { if (!xs_is_null(payload)) {
xs *upl = xs_url_dec(payload); args = xs_url_vars(payload);
args = xs_url_vars(upl);
} }
} }
else else
@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path,
{ {
// Some apps send form data instead of json so we should cater for those // Some apps send form data instead of json so we should cater for those
if (!xs_is_null(payload)) { if (!xs_is_null(payload)) {
xs *upl = xs_url_dec(payload); args = xs_url_vars(payload);
args = xs_url_vars(upl);
} }
} }
else else

View file

@ -179,8 +179,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
req = xs_dict_append(req, "method", v); req = xs_dict_append(req, "method", v);
else else
if (strcmp(k, "REQUEST_URI") == 0) { if (strcmp(k, "REQUEST_URI") == 0) {
xs *udp = xs_url_dec(v); xs *pnv = xs_split_n(v, "?", 1);
xs *pnv = xs_split_n(udp, "?", 1);
/* store the path */ /* store the path */
req = xs_dict_append(req, "path", xs_list_get(pnv, 0)); req = xs_dict_append(req, "path", xs_list_get(pnv, 0));
@ -233,8 +232,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
const char *ct = xs_dict_get(req, "content-type"); const char *ct = xs_dict_get(req, "content-type");
if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) { if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) {
xs *upl = xs_url_dec(*payload); p_vars = xs_url_vars(*payload);
p_vars = xs_url_vars(upl);
} }
else else
if (*payload && ct && xs_startswith(ct, "multipart/form-data")) { if (*payload && ct && xs_startswith(ct, "multipart/form-data")) {

View file

@ -36,7 +36,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
{ {
/* split the path with its optional variables */ /* split the path with its optional variables */
xs *udp = xs_url_dec(xs_list_get(l2, 1)); const xs_val *udp = xs_list_get(l2, 1);
xs *pnv = xs_split_n(udp, "?", 1); xs *pnv = xs_split_n(udp, "?", 1);
/* store the path */ /* store the path */
@ -75,8 +75,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
v = xs_dict_get(req, "content-type"); v = xs_dict_get(req, "content-type");
if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) { if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) {
xs *upl = xs_url_dec(*payload); p_vars = xs_url_vars(*payload);
p_vars = xs_url_vars(upl);
} }
else else
if (*payload && v && xs_startswith(v, "multipart/form-data")) { if (*payload && v && xs_startswith(v, "multipart/form-data")) {

View file

@ -53,7 +53,7 @@ xs_dict *xs_url_vars(const char *str)
const xs_val *v; const xs_val *v;
xs_list_foreach(args, v) { xs_list_foreach(args, v) {
xs *kv = xs_split_n(v, "=", 1); xs *kv = xs_split_n(xs_url_dec(v), "=", 1);
if (xs_list_len(kv) == 2) { if (xs_list_len(kv) == 2) {
const char *key = xs_list_get(kv, 0); const char *key = xs_list_get(kv, 0);