Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 查询参数为数组时需要将数组转为字符串形式 #314

Merged
merged 3 commits into from
Jul 23, 2020
Merged

fix: 查询参数为数组时需要将数组转为字符串形式 #314

merged 3 commits into from
Jul 23, 2020

Conversation

zenghao1203
Copy link
Contributor

@zenghao1203 zenghao1203 commented Jul 23, 2020
edited
Loading

Why

当查询参数为数组时,需要将参数转化为字符串。因为在发送请求时,数组参数会被处理;列如:

const query = {
  area: ['south','west']
}

//会变成
const query = {
  area[]: 'south',
  area[]: 'west'
}

在大多数项目中已使用数组参数,都转化为了字符串的形式。会导致查询接口报错。

How

只需在处理query参数时,加上一个判断,如果是使用的数组,那么将数组转化为字符串即可

const area = ['south','west']
const areaString = area.toString().trim()   // south,west

Test

before

before

after

after

@netlify
Copy link

netlify bot commented Jul 23, 2020
edited
Loading

Deploy preview for el-data-table ready!

Built with commit 8f6560b

https://deploy-preview-314--el-data-table.netlify.app

@gd4Ark
Copy link
Contributor

gd4Ark commented Jul 23, 2020

之前有个 pr 为了解决参数为数组时刷新不丢失的问题,存放 url 的时候特地保留数组的形式,以便正常 decode。
所以仅仅要修改发送请求时的参数的话,这里修改 query 的时机还太早,把他放到构造请求参数前就正常了

gd4Ark
gd4Ark reviewed Jul 23, 2020
View reviewed changes
src/el-data-table.vue Outdated Show resolved Hide resolved
@levy9527 levy9527 merged commit a30071d into FEMessage:dev Jul 23, 2020
@levy9527
Copy link
Contributor

@all-contributors add @zenghao1203 bug

@allcontributors allcontributors bot mentioned this pull request Jul 23, 2020
Merged
@allcontributors
Copy link
Contributor

@levy9527

I've put up a pull request to add @zenghao1203! 🎉

@levy9527 levy9527 changed the title fix:查询参数为数组时需要将数组转为字符串形式 fix: 查询参数为数组时需要将数组转为字符串形式 Jul 23, 2020
@auto-add-label auto-add-label bot added the bug Something isn't working label Jul 23, 2020
@shoyuf
Copy link
Member

shoyuf commented Sep 8, 2020

这段代码修改了axios请求的默认行为
当 params 中一个值为数组时,比如{a:[1,2]}

  • axios 会默认将该值使用{url}?a[]=1&1[]=2 来传递参数
  • 这段代码将使用 {url}?a=1,2 来传递参数

HTTP协议中是允许同样名称的参数出现多次。
各服务端接受参数的方式与各语言(框架)的实现方式有关

参考资料:

  1. 安全 - 为企业级框架和应用而生
  2. Web 应用里的 HTTP 参数污染(HPP)漏洞 - CSDN
  3. ebay 因参数污染存在 RCE(远程命令执行)漏洞

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gd4Ark gd4Ark gd4Ark approved these changes

@levy9527 levy9527 levy9527 approved these changes

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zenghao1203 @gd4Ark @levy9527 @shoyuf