From 2c876adeac21b9fe66a4d4cd490415360b9ed6d3 Mon Sep 17 00:00:00 2001 From: fghwett <1058178245@qq.com> Date: Fri, 14 Jun 2024 20:45:25 +0800 Subject: [PATCH 1/2] Fixed the issue where parameters containing equal signs were tampered with when there were file parameters in the same form. --- net/gclient/gclient_request.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/gclient/gclient_request.go b/net/gclient/gclient_request.go index 53aa744c155..ff2a1b0a9ef 100644 --- a/net/gclient/gclient_request.go +++ b/net/gclient/gclient_request.go @@ -230,7 +230,7 @@ func (c *Client) prepareRequest(ctx context.Context, method, url string, data .. writer = multipart.NewWriter(buffer) ) for _, item := range strings.Split(params, "&") { - array := strings.Split(item, "=") + array := strings.SplitN(item, "=", 2) if len(array[1]) > 6 && strings.Compare(array[1][0:6], httpParamFileHolder) == 0 { path := array[1][6:] if !gfile.Exists(path) { From 6a453c784c42a8dd5973bd6a46d253ae270e0bec Mon Sep 17 00:00:00 2001 From: fghwett <1058178245@qq.com> Date: Thu, 20 Jun 2024 10:11:35 +0800 Subject: [PATCH 2/2] Fixed an issue where file names containing = and & and equally complex parameters were tampered with in the form request parameters. --- internal/httputil/httputils.go | 5 +-- net/gclient/gclient_request.go | 16 +++++---- net/gclient/gclient_z_unit_test.go | 38 ++++++++++++++++++++ net/gclient/testdata/upload/file&&name=1.txt | 1 + net/ghttp/ghttp_z_unit_test.go | 28 +++++++++++++++ os/gres/testdata/data/data.go | 2 +- 6 files changed, 80 insertions(+), 10 deletions(-) create mode 100644 net/gclient/testdata/upload/file&&name=1.txt diff --git a/internal/httputil/httputils.go b/internal/httputil/httputils.go index f006f394536..fea014ebabb 100644 --- a/internal/httputil/httputils.go +++ b/internal/httputil/httputils.go @@ -46,10 +46,10 @@ func BuildParams(params interface{}, noUrlEncode ...bool) (encodedParamStr strin urlEncode = !noUrlEncode[0] } // If there's file uploading, it ignores the url encoding. - if urlEncode { + if !urlEncode { for k, v := range m { if gstr.Contains(k, fileUploadingKey) || gstr.Contains(gconv.String(v), fileUploadingKey) { - urlEncode = false + urlEncode = true break } } @@ -67,6 +67,7 @@ func BuildParams(params interface{}, noUrlEncode ...bool) (encodedParamStr strin if urlEncode { if strings.HasPrefix(s, fileUploadingKey) && len(s) > len(fileUploadingKey) { // No url encoding if uploading file. + s = fileUploadingKey + gurl.Encode(strings.TrimPrefix(s, fileUploadingKey)) } else { s = gurl.Encode(s) } diff --git a/net/gclient/gclient_request.go b/net/gclient/gclient_request.go index ff2a1b0a9ef..1315d47df4a 100644 --- a/net/gclient/gclient_request.go +++ b/net/gclient/gclient_request.go @@ -9,6 +9,7 @@ package gclient import ( "bytes" "context" + "github.com/gogf/gf/v2/encoding/gurl" "io" "mime/multipart" "net/http" @@ -231,15 +232,20 @@ func (c *Client) prepareRequest(ctx context.Context, method, url string, data .. ) for _, item := range strings.Split(params, "&") { array := strings.SplitN(item, "=", 2) - if len(array[1]) > 6 && strings.Compare(array[1][0:6], httpParamFileHolder) == 0 { - path := array[1][6:] + var ( + fieldName = array[0] + fieldValue = array[1] + ) + fieldValue, _ = gurl.Decode(fieldValue) + if len(fieldValue) > 6 && strings.Compare(fieldValue[0:6], httpParamFileHolder) == 0 { + path := fieldValue[6:] if !gfile.Exists(path) { return nil, gerror.NewCodef(gcode.CodeInvalidParameter, `"%s" does not exist`, path) } var ( file io.Writer formFileName = gfile.Basename(path) - formFieldName = array[0] + formFieldName = fieldName ) if file, err = writer.CreateFormFile(formFieldName, formFileName); err != nil { err = gerror.Wrapf(err, `CreateFormFile failed with "%s", "%s"`, formFieldName, formFileName) @@ -257,10 +263,6 @@ func (c *Client) prepareRequest(ctx context.Context, method, url string, data .. _ = f.Close() } } else { - var ( - fieldName = array[0] - fieldValue = array[1] - ) if err = writer.WriteField(fieldName, fieldValue); err != nil { err = gerror.Wrapf(err, `write form field failed with "%s", "%s"`, fieldName, fieldValue) return nil, err diff --git a/net/gclient/gclient_z_unit_test.go b/net/gclient/gclient_z_unit_test.go index 64c48dd485c..17ab754d18a 100644 --- a/net/gclient/gclient_z_unit_test.go +++ b/net/gclient/gclient_z_unit_test.go @@ -332,6 +332,44 @@ func Test_Client_File_And_Param(t *testing.T) { }) } +// It posts data along with file uploading. +// It does not url-encodes the parameters. +func Test_Client_Complex_File_And_Complex_Param(t *testing.T) { + s := g.Server(guid.S()) + s.BindHandler("/", func(r *ghttp.Request) { + tmpPath := gfile.Temp(guid.S()) + err := gfile.Mkdir(tmpPath) + gtest.AssertNil(err) + defer gfile.Remove(tmpPath) + + file := r.GetUploadFile("file") + _, err = file.Save(tmpPath) + gtest.AssertNil(err) + r.Response.Write( + r.Get("json"), + gfile.GetContents(gfile.Join(tmpPath, gfile.Basename(file.Filename))), + r.Get("url"), + ) + }) + s.SetDumpRouterMap(false) + s.Start() + defer s.Shutdown() + + time.Sleep(100 * time.Millisecond) + + gtest.C(t, func(t *gtest.T) { + path := gtest.DataPath("upload", "file&&name=1.txt") + data := g.Map{ + "file": "@file:" + path, + "json": `{"uuid": "luijquiopm", "isRelative": false, "fileName": "test111.xls"}`, + "url": fmt.Sprintf("https://127.0.0.1:%d/rand?key=%s&value=%s", s.GetListenedPort(), guid.S(), guid.S()), + } + c := g.Client() + c.SetPrefix(fmt.Sprintf("http://127.0.0.1:%d", s.GetListenedPort())) + t.Assert(c.PostContent(ctx, "/", data), data["json"].(string)+gfile.GetContents(path)+data["url"].(string)) + }) +} + func Test_Client_Middleware(t *testing.T) { s := g.Server(guid.S()) isServerHandler := false diff --git a/net/gclient/testdata/upload/file&&name=1.txt b/net/gclient/testdata/upload/file&&name=1.txt new file mode 100644 index 00000000000..20e13158762 --- /dev/null +++ b/net/gclient/testdata/upload/file&&name=1.txt @@ -0,0 +1 @@ +file&&name1.txt: This file is for uploading unit test case. \ No newline at end of file diff --git a/net/ghttp/ghttp_z_unit_test.go b/net/ghttp/ghttp_z_unit_test.go index b9feeccc3d3..ead64b00d97 100644 --- a/net/ghttp/ghttp_z_unit_test.go +++ b/net/ghttp/ghttp_z_unit_test.go @@ -170,6 +170,34 @@ func Test_BuildParams(t *testing.T) { }) } +func Test_BuildParams_WithComplexFileName(t *testing.T) { + // normal && special cases + params := map[string]string{ + "val": "12345678", + "code1": "x&a=1", // for fix + "code2": "x&a=111", + "id": "1+- ", // for fix + "f": "1#a=+- ", + "v": "", + "n": "null", + "file": "@file:text&name=1.xml", + } + + gtest.C(t, func(t *gtest.T) { + res1 := httputil.BuildParams(params) + vs, _ := url.ParseQuery(res1) + t.Assert(len(params), len(vs)) + for k := range vs { + vv := vs.Get(k) + _, ok := params[k] + // check no additional param + t.Assert(ok, true) + // check equal + t.AssertEQ(params[k], vv) + } + }) +} + func Test_ServerSignal(t *testing.T) { if runtime.GOOS == "windows" { t.Log("skip windows") diff --git a/os/gres/testdata/data/data.go b/os/gres/testdata/data/data.go index 0a154f6af20..87f90e4579c 100755 --- a/os/gres/testdata/data/data.go +++ b/os/gres/testdata/data/data.go @@ -3,7 +3,7 @@ package data import "github.com/gogf/gf/v2/os/gres" func init() { - if err := gres.Add(""); err != nil { + if err := gres.Add(""); err != nil { panic("add binary content to resource manager failed: " + err.Error()) } }