commit ba5cbb6d828165a43826c6afdd71fa2edbdca302
parent 31ce1af73630143036d9cfc6a8a5083402f6b7aa
Author: Nicolai Dagestad <nicolai@dagestad.fr>
Date: Sun, 15 Sep 2024 15:03:21 +0200
URL decode data after splitting the arguments
Data decoding should happen after the parsing if not, a '?', '&', '#'
or other character decoded will interfere with the parsing. e.g. the
users password contains a '&', then it is truncated on that character,
and login will fail.
Diffstat:
4 files changed, 9 insertions(+), 16 deletions(-)
diff --git a/mastoapi.c b/mastoapi.c
@@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path,
}
else
if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) {
- xs *upl = xs_url_dec(payload);
- args = xs_url_vars(upl);
+ args = xs_url_vars(payload);
}
else
args = xs_dup(xs_dict_get(req, "p_vars"));
@@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path,
{
// Some apps send form data instead of json so we should cater for those
if (!xs_is_null(payload)) {
- xs *upl = xs_url_dec(payload);
- args = xs_url_vars(upl);
+ args = xs_url_vars(payload);
}
}
else
@@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path,
{
// Some apps send form data instead of json so we should cater for those
if (!xs_is_null(payload)) {
- xs *upl = xs_url_dec(payload);
- args = xs_url_vars(upl);
+ args = xs_url_vars(payload);
}
}
else
@@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path,
{
// Some apps send form data instead of json so we should cater for those
if (!xs_is_null(payload)) {
- xs *upl = xs_url_dec(payload);
- args = xs_url_vars(upl);
+ args = xs_url_vars(payload);
}
}
else
diff --git a/xs_fcgi.h b/xs_fcgi.h
@@ -179,8 +179,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
req = xs_dict_append(req, "method", v);
else
if (strcmp(k, "REQUEST_URI") == 0) {
- xs *udp = xs_url_dec(v);
- xs *pnv = xs_split_n(udp, "?", 1);
+ xs *pnv = xs_split_n(v, "?", 1);
/* store the path */
req = xs_dict_append(req, "path", xs_list_get(pnv, 0));
@@ -233,8 +232,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id)
const char *ct = xs_dict_get(req, "content-type");
if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) {
- xs *upl = xs_url_dec(*payload);
- p_vars = xs_url_vars(upl);
+ p_vars = xs_url_vars(*payload);
}
else
if (*payload && ct && xs_startswith(ct, "multipart/form-data")) {
diff --git a/xs_httpd.h b/xs_httpd.h
@@ -36,7 +36,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
{
/* split the path with its optional variables */
- xs *udp = xs_url_dec(xs_list_get(l2, 1));
+ const xs_val *udp = xs_list_get(l2, 1);
xs *pnv = xs_split_n(udp, "?", 1);
/* store the path */
@@ -75,8 +75,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size)
v = xs_dict_get(req, "content-type");
if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) {
- xs *upl = xs_url_dec(*payload);
- p_vars = xs_url_vars(upl);
+ p_vars = xs_url_vars(*payload);
}
else
if (*payload && v && xs_startswith(v, "multipart/form-data")) {
diff --git a/xs_url.h b/xs_url.h
@@ -53,7 +53,7 @@ xs_dict *xs_url_vars(const char *str)
const xs_val *v;
xs_list_foreach(args, v) {
- xs *kv = xs_split_n(v, "=", 1);
+ xs *kv = xs_split_n(xs_url_dec(v), "=", 1);
if (xs_list_len(kv) == 2) {
const char *key = xs_list_get(kv, 0);
