这是indexloc提供的服务,不要输入任何密码
Skip to content

Some query strings are double percent-encoded #3348

@Frizlab

Description

@Frizlab

Describe the issue

GET /hello?yolo=<\ (string ends with a literal backslash) is decoded as ["yolo": "%3C\\"] (string also ends with one literal backslash), instead of ["yolo": "<\\"].

Vapor version

4.115.1

Operating system and version

macOS 15.5 (24F74)

Swift version

Swift Package Manager - Swift 6.1.0

Steps to reproduce

Write a vapor server with an endpoint that just does this:

print(req.url.query)
try? print(req.query.decode([String: String].self))
return "whatever"

Then run the endpoint with the given query string.

Outcome

The query string is improperly decoded.

Additional notes

The source of the problem lies in URLComponents whose behavior, as is well-known, is completely inconsistent with itself.
In particular in our case, the browser sends the following exact query string to the server: yolo=%3C\. URLComponents will see a character which is supposed to be escaped in a query string (the backslash) not escaped, so it will escape the whole query string. The same happens if the backslash is replaced with a percent sign.
Indeed, if the backslash is removed, the query string is properly parsed.

I understand this is not Vapor’s fault, but I guess it’s Vapor’s problem anyways… I’m not even sure as to how properly fix this issue tbh, but it is a fairly important issue IMHO…

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions