-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Description
Describe the issue
GET /hello?yolo=<\
(string ends with a literal backslash) is decoded as ["yolo": "%3C\\"]
(string also ends with one literal backslash), instead of ["yolo": "<\\"]
.
Vapor version
4.115.1
Operating system and version
macOS 15.5 (24F74)
Swift version
Swift Package Manager - Swift 6.1.0
Steps to reproduce
Write a vapor server with an endpoint that just does this:
print(req.url.query)
try? print(req.query.decode([String: String].self))
return "whatever"
Then run the endpoint with the given query string.
Outcome
The query string is improperly decoded.
Additional notes
The source of the problem lies in URLComponents
whose behavior, as is well-known, is completely inconsistent with itself.
In particular in our case, the browser sends the following exact query string to the server: yolo=%3C\
. URLComponents
will see a character which is supposed to be escaped in a query string (the backslash) not escaped, so it will escape the whole query string. The same happens if the backslash is replaced with a percent sign.
Indeed, if the backslash is removed, the query string is properly parsed.
I understand this is not Vapor’s fault, but I guess it’s Vapor’s problem anyways… I’m not even sure as to how properly fix this issue tbh, but it is a fairly important issue IMHO…