From ba5cbb6d828165a43826c6afdd71fa2edbdca302 Mon Sep 17 00:00:00 2001 From: Nicolai Dagestad Date: Sun, 15 Sep 2024 15:03:21 +0200 Subject: [PATCH] URL decode data after splitting the arguments Data decoding should happen after the parsing if not, a '?', '&', '#' or other character decoded will interfere with the parsing. e.g. the users password contains a '&', then it is truncated on that character, and login will fail. --- mastoapi.c | 12 ++++-------- xs_fcgi.h | 6 ++---- xs_httpd.h | 5 ++--- xs_url.h | 2 +- 4 files changed, 9 insertions(+), 16 deletions(-) diff --git a/mastoapi.c b/mastoapi.c index ec8268c..ffd1982 100644 --- a/mastoapi.c +++ b/mastoapi.c @@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path, } else if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } else args = xs_dup(xs_dict_get(req, "p_vars")); @@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path, { // Some apps send form data instead of json so we should cater for those if (!xs_is_null(payload)) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } } else @@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path, { // Some apps send form data instead of json so we should cater for those if (!xs_is_null(payload)) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } } else @@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path, { // Some apps send form data instead of json so we should cater for those if (!xs_is_null(payload)) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } } else diff --git a/xs_fcgi.h b/xs_fcgi.h index 0dbd895..6d3b030 100644 --- a/xs_fcgi.h +++ b/xs_fcgi.h @@ -179,8 +179,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id) req = xs_dict_append(req, "method", v); else if (strcmp(k, "REQUEST_URI") == 0) { - xs *udp = xs_url_dec(v); - xs *pnv = xs_split_n(udp, "?", 1); + xs *pnv = xs_split_n(v, "?", 1); /* store the path */ req = xs_dict_append(req, "path", xs_list_get(pnv, 0)); @@ -233,8 +232,7 @@ xs_dict *xs_fcgi_request(FILE *f, xs_str **payload, int *p_size, int *fcgi_id) const char *ct = xs_dict_get(req, "content-type"); if (*payload && ct && strcmp(ct, "application/x-www-form-urlencoded") == 0) { - xs *upl = xs_url_dec(*payload); - p_vars = xs_url_vars(upl); + p_vars = xs_url_vars(*payload); } else if (*payload && ct && xs_startswith(ct, "multipart/form-data")) { diff --git a/xs_httpd.h b/xs_httpd.h index 1782487..02b8ac2 100644 --- a/xs_httpd.h +++ b/xs_httpd.h @@ -36,7 +36,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size) { /* split the path with its optional variables */ - xs *udp = xs_url_dec(xs_list_get(l2, 1)); + const xs_val *udp = xs_list_get(l2, 1); xs *pnv = xs_split_n(udp, "?", 1); /* store the path */ @@ -75,8 +75,7 @@ xs_dict *xs_httpd_request(FILE *f, xs_str **payload, int *p_size) v = xs_dict_get(req, "content-type"); if (*payload && v && strcmp(v, "application/x-www-form-urlencoded") == 0) { - xs *upl = xs_url_dec(*payload); - p_vars = xs_url_vars(upl); + p_vars = xs_url_vars(*payload); } else if (*payload && v && xs_startswith(v, "multipart/form-data")) { diff --git a/xs_url.h b/xs_url.h index d6dd47a..a4f9dc1 100644 --- a/xs_url.h +++ b/xs_url.h @@ -53,7 +53,7 @@ xs_dict *xs_url_vars(const char *str) const xs_val *v; xs_list_foreach(args, v) { - xs *kv = xs_split_n(v, "=", 1); + xs *kv = xs_split_n(xs_url_dec(v), "=", 1); if (xs_list_len(kv) == 2) { const char *key = xs_list_get(kv, 0);