Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fixed double decoding in urldecode #261

Merged
merged 2 commits into from
Feb 18, 2024
Merged

fixed double decoding in urldecode #261

merged 2 commits into from
Feb 18, 2024

Conversation

akrainiouk
Copy link
Contributor

Current falco implementation of urldecode essentially applies url decoding twice, once by applying url.PathUnescape and then by calling url.QueryUnescape. In addition %25 (escaped "%") gets yet another extra decoding.

Fastly documentation of urldecode is a bit misleading:

For example, urldecode({"hello%20world+!"}); and urldecode("hello%2520world+!"); will both return "hello world !".

This makes an impression that both %20 and %2520 should be decoded to space character
However in reality it means to demonstrate is that two different string literals "..." and {"..."} are interpreted differently. In the second example %25 is decoded to '%' by the paraser leading to the same original value passed to urldecode as in the first example.

The confusion is also likely caused by misinterpreting of quoted literals in falco which is apparently fixed in PR-256

richardmarshall
richardmarshall approved these changes Feb 17, 2024
View reviewed changes
Copy link
Collaborator

@richardmarshall richardmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this looks good.

@ysugimoto ysugimoto merged commit 30a52db into ysugimoto:main Feb 18, 2024
1 check passed
@akrainiouk akrainiouk deleted the urldecode-fixes branch February 19, 2024 02:19
@BrewTestBot BrewTestBot mentioned this pull request Mar 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardmarshall richardmarshall richardmarshall approved these changes

@ysugimoto ysugimoto ysugimoto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@akrainiouk @richardmarshall @ysugimoto