Fix URL parameter decoding in web server (#3313)

* Make HTTP server test data easier to examine * Add HTTP server parameter tests containing & and = * Fix URL parameter decoding in web server The parameters string needs to be first split on & and =, and URL decoding on parts done after that. Otherwise URL encoded & and = within parameter names and values cause incorrect splitting.
2025-04-21 10:26:06 +03:00 · 2017-12-30 19:24:37 +02:00 · 2017-12-30 19:24:37 +02:00 · b4653f4d44
commit b4653f4d44
parent 4ab89d07fc
3 changed files with 19 additions and 23 deletions
--- a/libraries/ESP8266WebServer/src/Parsing.cpp
+++ b/libraries/ESP8266WebServer/src/Parsing.cpp
@ -184,13 +184,9 @@ bool ESP8266WebServer::_parseRequest(WiFiClient& client) {
      	return false;
      }
      if (contentLength > 0) {
        if (searchStr != "") searchStr += '&';
        if(isEncoded){
          //url encoded form
-          String decoded = urlDecode(plainBuf);
+          if (searchStr != "") searchStr += '&';
          size_t decodedLen = decoded.length();
          memcpy(plainBuf, decoded.c_str(), decodedLen);
          plainBuf[decodedLen] = 0;
          searchStr += plainBuf;
        }
        _parseArguments(searchStr);
@ -321,7 +317,7 @@ void ESP8266WebServer::_parseArguments(String data) {
      continue;
    }
    RequestArgument& arg = _currentArgs[iarg];
-    arg.key = data.substring(pos, equal_sign_index);
+    arg.key = urlDecode(data.substring(pos, equal_sign_index));
    arg.value = urlDecode(data.substring(equal_sign_index + 1, next_arg_index));
 #ifdef DEBUG_ESP_HTTP_SERVER
    DEBUG_OUTPUT.print("arg ");
--- a/tests/device/test_http_server/test_http_server.ino
+++ b/tests/device/test_http_server/test_http_server.ino
@ -36,7 +36,7 @@ TEST_CASE("HTTP GET Parameters", "[HTTPServer]")
            siteData = "";
            for (uint8_t i=0; i<server.args(); i++){
                if(i > 0)
-                    siteData += "&";
+                    siteData += "\n";
                siteData += server.argName(i) + " = " + server.arg(i);
            }
            siteHits++;
@ -45,7 +45,7 @@ TEST_CASE("HTTP GET Parameters", "[HTTPServer]")
        uint32_t startTime = millis();
        while(siteHits == 0 && (millis() - startTime) < 10000)
            server.handleClient();
-        REQUIRE(siteHits > 0 && siteData.equals("var1=val with spaces&var+=some%"));
+        REQUIRE(siteHits > 0 && siteData.equals("var1 = val with spaces\nva=r+ = so&me%"));
    }
 }
@ -57,7 +57,7 @@ TEST_CASE("HTTP POST Parameters", "[HTTPServer]")
            siteData = "";
            for (uint8_t i=0; i<server.args(); i++){
                if(i > 0)
-                    siteData += "&";
+                    siteData += "\n";
                siteData += server.argName(i) + " = " + server.arg(i);
            }
            siteHits++;
@ -78,7 +78,7 @@ TEST_CASE("HTTP GET+POST Parameters", "[HTTPServer]")
            siteData = "";
            for (uint8_t i=0; i<server.args(); i++){
                if(i > 0)
-                    siteData += "&";
+                    siteData += "\n";
                siteData += server.argName(i) + " = " + server.arg(i);
            }
            siteHits++;
@ -87,7 +87,7 @@ TEST_CASE("HTTP GET+POST Parameters", "[HTTPServer]")
        uint32_t startTime = millis();
        while(siteHits == 0 && (millis() - startTime) < 10000)
            server.handleClient();
-        REQUIRE(siteHits > 0 && siteData.equals("var3=val with spaces&var+=some%"));
+        REQUIRE(siteHits > 0 && siteData.equals("var3 = val with spaces\nva&r+ = so=me%"));
    }
 }
@ -98,7 +98,7 @@ TEST_CASE("HTTP Upload", "[HTTPServer]")
        server.on("/upload", HTTP_POST, [](){
            for (uint8_t i=0; i<server.args(); i++){
                if(i > 0)
-                    siteData += "&";
+                    siteData += "\n";
                siteData += server.argName(i) + " = " + server.arg(i);
            }
            siteHits++;
@ -110,13 +110,13 @@ TEST_CASE("HTTP Upload", "[HTTPServer]")
            } else if(upload.status == UPLOAD_FILE_END){
              siteData.concat(":");
              siteData.concat(String(upload.totalSize));
-              siteData.concat("&");
+              siteData.concat("\n");
            }
        });
        uint32_t startTime = millis();
        while(siteHits == 0 && (millis() - startTime) < 10000)
            server.handleClient();
-        REQUIRE(siteHits > 0 && siteData.equals("test.txt:16&var4=val with spaces"));
+        REQUIRE(siteHits > 0 && siteData.equals("test.txt:16\nvar4 = val with spaces"));
    }
 }
--- a/tests/device/test_http_server/test_http_server.py
+++ b/tests/device/test_http_server/test_http_server.py
@ -24,7 +24,7 @@ def http_test(res, url, get=None, post=None):
@setup('HTTP GET Parameters')
 def setup_http_get_params(e):
    def testRun():
-        return http_test('var1=val with spaces&var+=some%', 'http://etd.local/get', {'var1' : 'val with spaces', 'var+' : 'some%'})
+        return http_test('var1 = val with spaces\nva=r+ = so&me%', 'http://etd.local/get', {'var1' : 'val with spaces', 'va=r+' : 'so&me%'})
    Thread(target=testRun).start()
@teardown('HTTP GET Parameters')
@ -44,7 +44,7 @@ def teardown_http_post_params(e):
@setup('HTTP GET+POST Parameters')
 def setup_http_getpost_params(e):
    def testRun():
-        return http_test('var3=val with spaces&var+=some%', 'http://etd.local/get_and_post', {'var3' : 'val with spaces'}, {'var+' : 'some%'})
+        return http_test('var3 = val with spaces\nva&r+ = so=me%', 'http://etd.local/get_and_post', {'var3' : 'val with spaces'}, {'va&r+' : 'so=me%'})
    Thread(target=testRun).start()
@teardown('HTTP GET+POST Parameters')
@ -63,7 +63,7 @@ def setup_http_upload(e):
            response = urllib2.urlopen(request, None, 2).read()
        except:
            return 1
-        if response != 'test.txt:16&var4=val with spaces':
+        if response != 'test.txt:16\nvar4 = val with spaces':
            return 1
        return 0
    Thread(target=testRun).start()