diff options
| author |  Nicolai Dagestad | 2024-09-15 15:03:21 +0200 |
|---|---|---|
| committer | Nicolai Dagestad | 2024-09-15 18:39:49 +0200 |
| commit | ba5cbb6d828165a43826c6afdd71fa2edbdca302 (patch) | |
| tree | 87290e2f2a97433c35f0ce86cd14cabe9703dd2c /mastoapi.c | |
| parent | Minor code cleaning. (diff) | |
| download | penes-snac2-ba5cbb6d828165a43826c6afdd71fa2edbdca302.tar.gz penes-snac2-ba5cbb6d828165a43826c6afdd71fa2edbdca302.tar.xz penes-snac2-ba5cbb6d828165a43826c6afdd71fa2edbdca302.zip | |
URL decode data after splitting the arguments
Data decoding should happen after the parsing if not, a '?', '&', '#'
or other character decoded will interfere with the parsing. e.g. the
users password contains a '&', then it is truncated on that character,
and login will fail.
Diffstat (limited to 'mastoapi.c')
| -rw-r--r-- | mastoapi.c | 12 |
1 files changed, 4 insertions, 8 deletions
| @@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path, | |||
| 262 | } | 262 | } |
| 263 | else | 263 | else |
| 264 | if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) { | 264 | if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) { |
| 265 | xs *upl = xs_url_dec(payload); | 265 | args = xs_url_vars(payload); |
| 266 | args = xs_url_vars(upl); | ||
| 267 | } | 266 | } |
| 268 | else | 267 | else |
| 269 | args = xs_dup(xs_dict_get(req, "p_vars")); | 268 | args = xs_dup(xs_dict_get(req, "p_vars")); |
| @@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path, | |||
| 2361 | { | 2360 | { |
| 2362 | // Some apps send form data instead of json so we should cater for those | 2361 | // Some apps send form data instead of json so we should cater for those |
| 2363 | if (!xs_is_null(payload)) { | 2362 | if (!xs_is_null(payload)) { |
| 2364 | xs *upl = xs_url_dec(payload); | 2363 | args = xs_url_vars(payload); |
| 2365 | args = xs_url_vars(upl); | ||
| 2366 | } | 2364 | } |
| 2367 | } | 2365 | } |
| 2368 | else | 2366 | else |
| @@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path, | |||
| 2959 | { | 2957 | { |
| 2960 | // Some apps send form data instead of json so we should cater for those | 2958 | // Some apps send form data instead of json so we should cater for those |
| 2961 | if (!xs_is_null(payload)) { | 2959 | if (!xs_is_null(payload)) { |
| 2962 | xs *upl = xs_url_dec(payload); | 2960 | args = xs_url_vars(payload); |
| 2963 | args = xs_url_vars(upl); | ||
| 2964 | } | 2961 | } |
| 2965 | } | 2962 | } |
| 2966 | else | 2963 | else |
| @@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path, | |||
| 3194 | { | 3191 | { |
| 3195 | // Some apps send form data instead of json so we should cater for those | 3192 | // Some apps send form data instead of json so we should cater for those |
| 3196 | if (!xs_is_null(payload)) { | 3193 | if (!xs_is_null(payload)) { |
| 3197 | xs *upl = xs_url_dec(payload); | 3194 | args = xs_url_vars(payload); |
| 3198 | args = xs_url_vars(upl); | ||
| 3199 | } | 3195 | } |
| 3200 | } | 3196 | } |
| 3201 | else | 3197 | else |