You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As the title says, when I try to get a URL parameter from a http.Request object (calling chi.URLParam), it sometimes returns a URL-encoded result, and it only depends on whether r.URL.RawPath is set or not.
This is because in function *Mux.routeHTTP(), it checks if r.URL.RawPath is set and uses it instead of r.URL.Path; however, r.URL.RawPath is only present sometimes:
We hit this bug. Because the data only sometimes needs unescaping depending on whatever inside go sets the URL.RawPath value in net/http, it's not safe to unconditionally apply url.PathUnescape(), since that would not correctly handle certain edge cases involving double-url-escaped strings, like http://example.com/my%2520data (with an escaped percent), which application logic should see as my%20data, but a naive approach would inappropriately yield my data. I'm using this unfortunate workaround:
funcSafeURLParam(r*http.Request, keystring) string {
rctx:=chi.RouteContext(r.Context())
ifrctx==nil {
return""
}
raw:=rctx.URLParam(key)
// Only apply unescaping if chi built the param map using the raw path.// Corresponds to the logic at// https://github.com/go-chi/chi/blob/v5.1.0/mux.go#L433-L437ifr.URL.RawPath=="" {
returnraw
}
unescaped, err:=url.PathUnescape(raw)
iferr!=nil {
slog.Warn("bad URL escape", "error", err, "param", raw)
return""
}
returnunescaped
}
Hello!
As the title says, when I try to get a URL parameter from a
http.Request
object (callingchi.URLParam
), it sometimes returns a URL-encoded result, and it only depends on whetherr.URL.RawPath
is set or not.This is because in function
*Mux.routeHTTP()
, it checks ifr.URL.RawPath
is set and uses it instead ofr.URL.Path
; however,r.URL.RawPath
is only present sometimes:chi/mux.go
Lines 420 to 431 in 7f28096
IMHO, the best course of action will be to use
url.EscapedPath()
to get theroutePath
and thenurl.PathUnescape()
to set every value.Simple program to show the bug:
Simple execution to see the problem:
If it is OK for you, I will open a Pull Request.
Thank you very much,
Juan
The text was updated successfully, but these errors were encountered: