[v10.0/forgejo] fix: use correct input for strip slashes middleware (#7306)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/7295 - The router must use the escaped path in order to ensure correct functionality (at least, that is what they say). However `req.URL.Path` shouldn't be set to the escaped path, which is fixed in this patch. - Simplify the logic and no longer try to use `rctx.RoutePath`, this is only useful if the middleware was placed after some routing parsing was done. - Resolves forgejo/forgejo#7294 - Resolves forgejo/forgejo#7292 - Add unit test <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/7295): <!--number 7295 --><!--line 0 --><!--description dXNlIGNvcnJlY3QgaW5wdXQgZm9yIHN0cmlwIHNsYXNoZXMgbWlkZGxld2FyZQ==-->use correct input for strip slashes middleware<!--description--> <!--end release-notes-assistant--> Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7306 Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
This commit is contained in:
forgejo-backport-action
Earl Warren
parent
0f5182d0c6
commit
dde3f51c72
3 changed files with 35 additions and 23 deletions
|
|
@ -74,27 +74,27 @@ func ProtocolMiddlewares() (handlers []any) {
|
||||||
|
|
||||||
func stripSlashesMiddleware(next http.Handler) http.Handler {
|
func stripSlashesMiddleware(next http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
|
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
|
||||||
// First of all escape the URL RawPath to ensure that all routing is done using a correctly escaped URL
|
// Ensure that URL.RawPath is always set.
|
||||||
req.URL.RawPath = req.URL.EscapedPath()
|
req.URL.RawPath = req.URL.EscapedPath()
|
||||||
|
|
||||||
urlPath := req.URL.RawPath
|
sanitize := func(path string) string {
|
||||||
rctx := chi.RouteContext(req.Context())
|
sanitizedPath := &strings.Builder{}
|
||||||
if rctx != nil && rctx.RoutePath != "" {
|
prevWasSlash := false
|
||||||
urlPath = rctx.RoutePath
|
for _, chr := range strings.TrimRight(path, "/") {
|
||||||
}
|
if chr != '/' || !prevWasSlash {
|
||||||
|
sanitizedPath.WriteRune(chr)
|
||||||
sanitizedPath := &strings.Builder{}
|
}
|
||||||
prevWasSlash := false
|
prevWasSlash = chr == '/'
|
||||||
for _, chr := range strings.TrimRight(urlPath, "/") {
|
|
||||||
if chr != '/' || !prevWasSlash {
|
|
||||||
sanitizedPath.WriteRune(chr)
|
|
||||||
}
|
}
|
||||||
prevWasSlash = chr == '/'
|
return sanitizedPath.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
req.URL.Path = sanitizedPath.String()
|
// Sanitize the unescaped path for application logic.
|
||||||
|
req.URL.Path = sanitize(req.URL.Path)
|
||||||
|
rctx := chi.RouteContext(req.Context())
|
||||||
if rctx != nil {
|
if rctx != nil {
|
||||||
rctx.RoutePath = req.URL.Path
|
// Sanitize the escaped path for routing.
|
||||||
|
rctx.RoutePath = sanitize(req.URL.RawPath)
|
||||||
}
|
}
|
||||||
next.ServeHTTP(resp, req)
|
next.ServeHTTP(resp, req)
|
||||||
})
|
})
|
||||||
|
|
|
||||||
|
|
@ -15,9 +15,10 @@ import (
|
||||||
|
|
||||||
func TestStripSlashesMiddleware(t *testing.T) {
|
func TestStripSlashesMiddleware(t *testing.T) {
|
||||||
type test struct {
|
type test struct {
|
||||||
name string
|
name string
|
||||||
expectedPath string
|
expectedPath string
|
||||||
inputPath string
|
expectedNormalPath string
|
||||||
|
inputPath string
|
||||||
}
|
}
|
||||||
|
|
||||||
tests := []test{
|
tests := []test{
|
||||||
|
|
@ -57,9 +58,16 @@ func TestStripSlashesMiddleware(t *testing.T) {
|
||||||
expectedPath: "/repo/migrate",
|
expectedPath: "/repo/migrate",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "path with encoded slash",
|
name: "path with encoded slash",
|
||||||
inputPath: "/user2/%2F%2Frepo1",
|
inputPath: "/user2/%2F%2Frepo1",
|
||||||
expectedPath: "/user2/%2F%2Frepo1",
|
expectedPath: "/user2/%2F%2Frepo1",
|
||||||
|
expectedNormalPath: "/user2/repo1",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "path with space",
|
||||||
|
inputPath: "/assets/css/theme%20cappuccino.css",
|
||||||
|
expectedPath: "/assets/css/theme%20cappuccino.css",
|
||||||
|
expectedNormalPath: "/assets/css/theme cappuccino.css",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -69,7 +77,11 @@ func TestStripSlashesMiddleware(t *testing.T) {
|
||||||
|
|
||||||
called := false
|
called := false
|
||||||
r.Get("*", func(w http.ResponseWriter, r *http.Request) {
|
r.Get("*", func(w http.ResponseWriter, r *http.Request) {
|
||||||
assert.Equal(t, tt.expectedPath, r.URL.Path)
|
if tt.expectedNormalPath != "" {
|
||||||
|
assert.Equal(t, tt.expectedNormalPath, r.URL.Path)
|
||||||
|
} else {
|
||||||
|
assert.Equal(t, tt.expectedPath, r.URL.Path)
|
||||||
|
}
|
||||||
|
|
||||||
rctx := chi.RouteContext(r.Context())
|
rctx := chi.RouteContext(r.Context())
|
||||||
assert.Equal(t, tt.expectedPath, rctx.RoutePath)
|
assert.Equal(t, tt.expectedPath, rctx.RoutePath)
|
||||||
|
|
|
||||||
|
|
@ -1051,7 +1051,7 @@ func RepoRefByType(refType RepoRefType, ignoreNotExistErr ...bool) func(*Context
|
||||||
|
|
||||||
if refType == RepoRefLegacy {
|
if refType == RepoRefLegacy {
|
||||||
// redirect from old URL scheme to new URL scheme
|
// redirect from old URL scheme to new URL scheme
|
||||||
prefix := strings.TrimPrefix(setting.AppSubURL+strings.ToLower(strings.TrimSuffix(ctx.Req.URL.Path, ctx.PathParamRaw("*"))), strings.ToLower(ctx.Repo.RepoLink))
|
prefix := strings.TrimPrefix(setting.AppSubURL+strings.ToLower(strings.TrimSuffix(ctx.Req.URL.Path, ctx.Params("*"))), strings.ToLower(ctx.Repo.RepoLink))
|
||||||
|
|
||||||
ctx.Redirect(path.Join(
|
ctx.Redirect(path.Join(
|
||||||
ctx.Repo.RepoLink,
|
ctx.Repo.RepoLink,
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue