diff options
| author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2019-07-03 16:38:50 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-03 16:38:50 +0100 |
| commit | 33a13925417612b032c1cbbb8ee62eb053faa5f8 (patch) | |
| tree | f9df498f2e31f82e2e84a69bd9de170e09253ade /mediaapi | |
| parent | 1eb77b8161cdf2e3b107c606d4f3f88209042ed8 (diff) | |
Encode URLs properly (#728)
We were escaping the URL before performing any pattern matching on it.
This meant that if you sent data that URLdecoded to a "/", it would count as
a "/" in the URL, potentially causing a 404. This was causing some flaky tests
with some randomly-generated query parameters.
Now, we keep URLs encoded while doing the pattern matching, and only afterwards
do we URL decode each query parameter individually before passing them to their
respective handler functions.
github.com/gorilla/mux was also updated to v1.7.3 to fix a bug with URL encoding and subrouters.
Diffstat (limited to 'mediaapi')
| -rw-r--r-- | mediaapi/routing/routing.go | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go index fb983ccc..5bcce177 100644 --- a/mediaapi/routing/routing.go +++ b/mediaapi/routing/routing.go @@ -34,6 +34,10 @@ import ( const pathPrefixR0 = "/_matrix/media/r0" // Setup registers the media API HTTP handlers +// +// Due to Setup being used to call many other functions, a gocyclo nolint is +// applied: +// nolint: gocyclo func Setup( apiMux *mux.Router, cfg *config.Dendrite, @@ -87,7 +91,7 @@ func makeDownloadAPI( // Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors w.Header().Set("Content-Type", "application/json") - vars := mux.Vars(req) + vars, _ := common.URLDecodeMapValues(mux.Vars(req)) Download( w, req, |