Avoid double-unescaping of form value (#26853) (#26863)

Backport #26853

The old `prepareQueryArg` did double-unescaping of form value.

(cherry picked from commit e8da63c24ef9b950999364a86c3a01de6f460e4c)
This commit is contained in:
wxiaoguang 2023-09-01 21:15:00 +08:00 committed by Earl Warren
parent 193e04c43b
commit 9c0380fe84
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
3 changed files with 6 additions and 23 deletions

View file

@ -4,29 +4,18 @@
package context package context
import ( import (
"net/url"
"strings" "strings"
"time" "time"
) )
// GetQueryBeforeSince return parsed time (unix format) from URL query's before and since // GetQueryBeforeSince return parsed time (unix format) from URL query's before and since
func GetQueryBeforeSince(ctx *Base) (before, since int64, err error) { func GetQueryBeforeSince(ctx *Base) (before, since int64, err error) {
qCreatedBefore, err := prepareQueryArg(ctx, "before") before, err = parseFormTime(ctx, "before")
if err != nil { if err != nil {
return 0, 0, err return 0, 0, err
} }
qCreatedSince, err := prepareQueryArg(ctx, "since") since, err = parseFormTime(ctx, "since")
if err != nil {
return 0, 0, err
}
before, err = parseTime(qCreatedBefore)
if err != nil {
return 0, 0, err
}
since, err = parseTime(qCreatedSince)
if err != nil { if err != nil {
return 0, 0, err return 0, 0, err
} }
@ -34,7 +23,8 @@ func GetQueryBeforeSince(ctx *Base) (before, since int64, err error) {
} }
// parseTime parse time and return unix timestamp // parseTime parse time and return unix timestamp
func parseTime(value string) (int64, error) { func parseFormTime(ctx *Base, name string) (int64, error) {
value := strings.TrimSpace(ctx.FormString(name))
if len(value) != 0 { if len(value) != 0 {
t, err := time.Parse(time.RFC3339, value) t, err := time.Parse(time.RFC3339, value)
if err != nil { if err != nil {
@ -46,10 +36,3 @@ func parseTime(value string) (int64, error) {
} }
return 0, nil return 0, nil
} }
// prepareQueryArg unescape and trim a query arg
func prepareQueryArg(ctx *Base, name string) (value string, err error) {
value, err = url.PathUnescape(ctx.FormString(name))
value = strings.TrimSpace(value)
return value, err
}

View file

@ -234,7 +234,7 @@ func TestAPISearchIssues(t *testing.T) {
DecodeJSON(t, resp, &apiIssues) DecodeJSON(t, resp, &apiIssues)
assert.Len(t, apiIssues, expectedIssueCount) assert.Len(t, apiIssues, expectedIssueCount)
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 since := "2000-01-01T00:50:01+00:00" // 946687801
before := time.Unix(999307200, 0).Format(time.RFC3339) before := time.Unix(999307200, 0).Format(time.RFC3339)
query.Add("since", since) query.Add("since", since)
query.Add("before", before) query.Add("before", before)

View file

@ -368,7 +368,7 @@ func TestSearchIssues(t *testing.T) {
DecodeJSON(t, resp, &apiIssues) DecodeJSON(t, resp, &apiIssues)
assert.Len(t, apiIssues, expectedIssueCount) assert.Len(t, apiIssues, expectedIssueCount)
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 since := "2000-01-01T00:50:01+00:00" // 946687801
before := time.Unix(999307200, 0).Format(time.RFC3339) before := time.Unix(999307200, 0).Format(time.RFC3339)
query := url.Values{} query := url.Values{}
query.Add("since", since) query.Add("since", since)