Skip to content

How to prevent uri decoding in routing #561

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
yaa110 opened this issue Jun 11, 2016 · 6 comments
Closed

How to prevent uri decoding in routing #561

yaa110 opened this issue Jun 11, 2016 · 6 comments

Comments

@yaa110
Copy link

yaa110 commented Jun 11, 2016
edited
Loading

Please consider the following example:

e.GET("/search/:term/:page", func (c echo.Context) error {
    return c.String(http.StatusOK, c.Param("term"))
})

The routing is not working when the term contains %2F, because the term is decoded and %2F is converted to /, e.g., http://localhost:5050/search/a%2Fb/1 returns Not Found exception.
@JosefWN
Copy link

JosefWN commented Jul 10, 2016
edited
Loading

After upgrading my issue is the opposite; has decoding been disabled? Possibly related to #587.

As a workaround I have done the following:

url.QueryUnescape(c.Param("..."))

No biggie, just verifying that this is intended?

@yaa110
Copy link
Author

yaa110 commented Jul 10, 2016
edited
Loading

@Puffton Yes, it seems they have changed the code to escape the parameters.
Please check commit: c00d017 (@vishr committed 11days ago)
This change makes sense because prevents unintended consequences.

@yaa110 yaa110 closed this as completed Jul 10, 2016
@ansel1
Copy link

ansel1 commented Oct 10, 2016

Seems like path params with escapes were only messing up the router. But after routing and parsing out the path params, isn't it desirable to unescape the params before invoking the handlers?

This broke a lot of our tests, because our routes use path params with encoded spaces in them pretty often. I'm tempted to put in a root middleware like:

c.SetParamValues(unescapeThemAll(c.ParamValues))

@luca-moser
Copy link

luca-moser commented Oct 20, 2016
edited
Loading

@ansel1 I second your opinion. Params should be unescaped before the handler is invoked.

@ansel1
Copy link

ansel1 commented Oct 20, 2016

We have ended up inserting another middleware in our chain which unescapes them all right after routing.

@ansel1
Copy link

ansel1 commented Nov 16, 2016

FYI: our approach to working around this was middleware which called url.QueryUnescape() on the params. This method is flawed unfortunately. Query escaped strings may replace spaces with '+', as golang's url.QueryEscape() function does. So url.QueryUnescape() replaces '+' with spaces.

But URI path segments are allowed to have literal '+' characters in them, so "unescaping" them back into spaces is inappropriate. golang's url package does have the code to correctly unescape path segments, but the only way to invoke it is:

u, _ := url.Parse(param)
param = u.Path

@voids voids mentioned this issue Dec 8, 2016
Closed
@aldas aldas mentioned this issue Aug 26, 2021
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ansel1 @luca-moser @yaa110 @JosefWN