test1234/gitea
1
0
Fork 0
forked from gitea/gitea
Code Pull Requests Activity

Instead of using routerCtx just escape the url before routing (#18086)

Browse Source 
A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing #18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.

Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.

Fix #17938
Fix #18060
Replace #18062
Replace #17997

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2021-12-24 16:50:49 +00:00 committed by GitHub
parent 26070eb818
commit 16adaaeaa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 4 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
integrations/links_test.go
View File

@ -33,6 +33,7 @@ func TestLinksNoLogin(t *testing.T) {
"/user/forgot_password",
"/api/swagger",
"/user2/repo1",
"/user2/repo1/",
"/user2/repo1/projects",
"/user2/repo1/projects/1",
"/assets/img/404.png",
@ -61,16 +62,6 @@ func TestRedirectsNoLogin(t *testing.T) {
resp := MakeRequest(t, req, http.StatusFound)
assert.EqualValues(t, path.Join(setting.AppSubURL, redirectLink), test.RedirectURL(resp))
}
var temporaryRedirects = map[string]string{
"/user2/repo1/": "/user2/repo1",
}
for link, redirectLink := range temporaryRedirects {
req := NewRequest(t, "GET", link)
resp := MakeRequest(t, req, http.StatusTemporaryRedirect)
assert.EqualValues(t, path.Join(setting.AppSubURL, redirectLink), test.RedirectURL(resp))
}
}
func TestNoLoginNotExist(t *testing.T) {

3
modules/context/context.go
View File

@ -610,9 +610,6 @@ func Contexter() func(next http.Handler) http.Handler {
var startTime = time.Now()
var link = setting.AppSubURL + strings.TrimSuffix(req.URL.EscapedPath(), "/")
chiCtx := chi.RouteContext(req.Context())
chiCtx.RoutePath = req.URL.EscapedPath()
var ctx = Context{
Resp: NewResponse(resp),
Cache: mc.GetCache(),

3
routers/common/middleware.go
View File

@ -23,6 +23,9 @@ func Middlewares() []func(http.Handler) http.Handler {
var handlers = []func(http.Handler) http.Handler{
func(next http.Handler) http.Handler {
return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
// First of all escape the URL RawPath to ensure that all routing is done using a correctly escaped URL
req.URL.RawPath = req.URL.EscapedPath()
ctx, _, finished := process.GetManager().AddContext(req.Context(), fmt.Sprintf("%s: %s", req.Method, req.RequestURI))
defer finished()
next.ServeHTTP(context.NewResponse(resp), req.WithContext(ctx))

5
routers/web/web.go
View File

@ -1079,11 +1079,6 @@ func RegisterRoutes(m *web.Route) {
m.Get("/swagger.v1.json", SwaggerV1Json)
}
m.NotFound(func(w http.ResponseWriter, req *http.Request) {
escapedPath := req.URL.EscapedPath()
if len(escapedPath) > 1 && escapedPath[len(escapedPath)-1] == '/' {
http.Redirect(w, req, setting.AppSubURL+escapedPath[:len(escapedPath)-1], http.StatusTemporaryRedirect)
return
}
ctx := context.GetContext(req)
ctx.NotFound("", nil)
})