fixed double decoding in urldecode #261
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Current falco implementation of
urldecode
essentially applies url decoding twice, once by applyingurl.PathUnescape
and then by callingurl.QueryUnescape
. In addition%25
(escaped "%") gets yet another extra decoding.Fastly documentation of urldecode is a bit misleading:
This makes an impression that both %20 and %2520 should be decoded to space character
However in reality it means to demonstrate is that two different string literals "..." and {"..."} are interpreted differently. In the second example %25 is decoded to '%' by the paraser leading to the same original value passed to urldecode as in the first example.
The confusion is also likely caused by misinterpreting of quoted literals in falco which is apparently fixed in PR-256