Avoid double-unescaping of form value (#26853)

1. The old `prepareQueryArg` did double-unescaping of form value.
2. By the way, remove the unnecessary `ctx.Flash = ...` in
`MockContext`.

Co-authored-by: Giteabot <teabot@gitea.io>
This commit is contained in:
wxiaoguang 2023-09-01 20:01:36 +08:00 committed by GitHub
parent e8aae43f56
commit f01bed2443
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 6 additions and 24 deletions

View File

@ -4,29 +4,18 @@
package context package context
import ( import (
"net/url"
"strings" "strings"
"time" "time"
) )
// GetQueryBeforeSince return parsed time (unix format) from URL query's before and since // GetQueryBeforeSince return parsed time (unix format) from URL query's before and since
func GetQueryBeforeSince(ctx *Base) (before, since int64, err error) { func GetQueryBeforeSince(ctx *Base) (before, since int64, err error) {
qCreatedBefore, err := prepareQueryArg(ctx, "before") before, err = parseFormTime(ctx, "before")
if err != nil { if err != nil {
return 0, 0, err return 0, 0, err
} }
qCreatedSince, err := prepareQueryArg(ctx, "since") since, err = parseFormTime(ctx, "since")
if err != nil {
return 0, 0, err
}
before, err = parseTime(qCreatedBefore)
if err != nil {
return 0, 0, err
}
since, err = parseTime(qCreatedSince)
if err != nil { if err != nil {
return 0, 0, err return 0, 0, err
} }
@ -34,7 +23,8 @@ func GetQueryBeforeSince(ctx *Base) (before, since int64, err error) {
} }
// parseTime parse time and return unix timestamp // parseTime parse time and return unix timestamp
func parseTime(value string) (int64, error) { func parseFormTime(ctx *Base, name string) (int64, error) {
value := strings.TrimSpace(ctx.FormString(name))
if len(value) != 0 { if len(value) != 0 {
t, err := time.Parse(time.RFC3339, value) t, err := time.Parse(time.RFC3339, value)
if err != nil { if err != nil {
@ -46,10 +36,3 @@ func parseTime(value string) (int64, error) {
} }
return 0, nil return 0, nil
} }
// prepareQueryArg unescape and trim a query arg
func prepareQueryArg(ctx *Base, name string) (value string, err error) {
value, err = url.PathUnescape(ctx.FormString(name))
value = strings.TrimSpace(value)
return value, err
}

View File

@ -50,7 +50,6 @@ func MockContext(t *testing.T, reqPath string) (*context.Context, *httptest.Resp
base.Locale = &translation.MockLocale{} base.Locale = &translation.MockLocale{}
ctx := context.NewWebContext(base, &MockRender{}, nil) ctx := context.NewWebContext(base, &MockRender{}, nil)
ctx.Flash = &middleware.Flash{Values: url.Values{}}
chiCtx := chi.NewRouteContext() chiCtx := chi.NewRouteContext()
ctx.Base.AppendContextValue(chi.RouteCtxKey, chiCtx) ctx.Base.AppendContextValue(chi.RouteCtxKey, chiCtx)

View File

@ -234,7 +234,7 @@ func TestAPISearchIssues(t *testing.T) {
DecodeJSON(t, resp, &apiIssues) DecodeJSON(t, resp, &apiIssues)
assert.Len(t, apiIssues, expectedIssueCount) assert.Len(t, apiIssues, expectedIssueCount)
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 since := "2000-01-01T00:50:01+00:00" // 946687801
before := time.Unix(999307200, 0).Format(time.RFC3339) before := time.Unix(999307200, 0).Format(time.RFC3339)
query.Add("since", since) query.Add("since", since)
query.Add("before", before) query.Add("before", before)

View File

@ -368,7 +368,7 @@ func TestSearchIssues(t *testing.T) {
DecodeJSON(t, resp, &apiIssues) DecodeJSON(t, resp, &apiIssues)
assert.Len(t, apiIssues, expectedIssueCount) assert.Len(t, apiIssues, expectedIssueCount)
since := "2000-01-01T00%3A50%3A01%2B00%3A00" // 946687801 since := "2000-01-01T00:50:01+00:00" // 946687801
before := time.Unix(999307200, 0).Format(time.RFC3339) before := time.Unix(999307200, 0).Format(time.RFC3339)
query := url.Values{} query := url.Values{}
query.Add("since", since) query.Add("since", since)