From ba5cbb6d828165a43826c6afdd71fa2edbdca302 Mon Sep 17 00:00:00 2001 From: Nicolai Dagestad Date: Sun, 15 Sep 2024 15:03:21 +0200 Subject: URL decode data after splitting the arguments Data decoding should happen after the parsing if not, a '?', '&', '#' or other character decoded will interfere with the parsing. e.g. the users password contains a '&', then it is truncated on that character, and login will fail. --- mastoapi.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'mastoapi.c') diff --git a/mastoapi.c b/mastoapi.c index ec8268c..ffd1982 100644 --- a/mastoapi.c +++ b/mastoapi.c @@ -262,8 +262,7 @@ int oauth_post_handler(const xs_dict *req, const char *q_path, } else if (i_ctype && xs_startswith(i_ctype, "application/x-www-form-urlencoded") && payload) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } else args = xs_dup(xs_dict_get(req, "p_vars")); @@ -2361,8 +2360,7 @@ int mastoapi_post_handler(const xs_dict *req, const char *q_path, { // Some apps send form data instead of json so we should cater for those if (!xs_is_null(payload)) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } } else @@ -2959,8 +2957,7 @@ int mastoapi_delete_handler(const xs_dict *req, const char *q_path, { // Some apps send form data instead of json so we should cater for those if (!xs_is_null(payload)) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } } else @@ -3194,8 +3191,7 @@ int mastoapi_patch_handler(const xs_dict *req, const char *q_path, { // Some apps send form data instead of json so we should cater for those if (!xs_is_null(payload)) { - xs *upl = xs_url_dec(payload); - args = xs_url_vars(upl); + args = xs_url_vars(payload); } } else -- cgit v1.2.3