fix(HyperRequest): Avoid double encoding using cfhttpparam

elpete · elpete · commit f25bc86fef6f · 2018-10-31T11:58:35.000-06:00
Lucee automatically encodes the `url` attribute.  This led to double-encoding.
Instead, we use the `cfhttpparam` without doing any encoding ourselves
since the `cfhttpparam` always encodes.
diff --git a/models/HyperRequest.cfc b/models/HyperRequest.cfc
@@ -422,8 +422,9 @@ component accessors="true" {
     *
     * @returns The full url for the request.
     */
-    function getFullUrl() {
-        return getBaseUrl() & getUrl() & serializeQueryParams();
+    function getFullUrl( withQueryString = false) {
+        return getBaseUrl() & getUrl() &
+            ( arguments.withQueryString ? serializeQueryParams() : "" );
     }
 
     /**
@@ -504,8 +505,8 @@ component accessors="true" {
         var queryString = listRest( arguments.url, "?" );
         var queryParams = listToArray( queryString, "&" );
         for ( var paramString in queryParams ) {
-            var name = listFirst( paramString, "=" );
-            var value = listRest( paramString, "=" );
+            var name = decodeFromUrl( listFirst( paramString, "=" ) );
+            var value = decodeFromUrl( listRest( paramString, "=" ) );
             setQueryParam( name, value );
         }
         return listFirst( arguments.url, "?" );
@@ -526,7 +527,9 @@ component accessors="true" {
         }
         queryParamNames.sort( "textnocase" );
         return "?" & queryParamNames.map( function( name ) {
-            return "#encodeForURL( name )#=#encodeForURL( variables.queryParams[ name ] )#";
+            return len( variables.queryParams[ name ] ) ?
+                "#encodeForURL( name )#=#encodeForURL( variables.queryParams[ name ] )#" :
+                "#encodeForURL( name )#";
         } ).toList( "&" );
     }
 
@@ -600,6 +603,14 @@ component accessors="true" {
                 );
             }
 
+            for ( var name in variables.queryParams ) {
+                cfhttpparam(
+                    type = "url",
+                    name = name,
+                    value = variables.queryParams[ name ]
+                );
+            }
+
             if ( hasBody() ) {
                 if ( getBodyFormat() == "json" ) {
                     cfhttpparam( type = "body", value = prepareBody() );
diff --git a/tests/specs/integration/GetSpec.cfc b/tests/specs/integration/GetSpec.cfc
@@ -34,7 +34,8 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
                 var res = hyper.get( "https://jsonplaceholder.typicode.com/posts", {
                     "userId" = 1
                 } );
-                expect( res.getRequest().getFullUrl() ).toBeWithCase( "https://jsonplaceholder.typicode.com/posts?userId=1" );
+                expect( res.getRequest().getFullUrl( withQueryString = true ) )
+                    .toBeWithCase( "https://jsonplaceholder.typicode.com/posts?userId=1" );
             } );
 
             it( "serializes query string params in the long hand", function() {
@@ -45,7 +46,26 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
                         "userId" = 1
                     } )
                     .get();
-                expect( res.getRequest().getFullUrl() ).toBeWithCase( "https://jsonplaceholder.typicode.com/posts?userId=1" );
+                expect( res.getRequest().getFullUrl( withQueryString = true) )
+                    .toBeWithCase( "https://jsonplaceholder.typicode.com/posts?userId=1" );
+            } );
+
+            it( "deserializes query string parameters in the url (to reserialize later)", function() {
+                var res = hyper
+                    .setBaseUrl( "https://jsonplaceholder.typicode.com" )
+                    .setUrl( "/posts?param=with+spaces" )
+                    .get();
+                expect( res.getRequest().getFullUrl( withQueryString = true ) )
+                    .toBeWithCase( "https://jsonplaceholder.typicode.com/posts?param=with+spaces" );
+            } );
+
+            it( "can handle params with no value in the url", function() {
+                var res = hyper
+                    .setBaseUrl( "https://jsonplaceholder.typicode.com" )
+                    .setUrl( "/posts?flag" )
+                    .get();
+                expect( res.getRequest().getFullUrl( withQueryString = true ) )
+                    .toBeWithCase( "https://jsonplaceholder.typicode.com/posts?flag" );
             } );
 
             it( "combines both query params and the query string in the url", function() {
@@ -56,7 +76,8 @@ component extends="tests.resources.ModuleIntegrationSpec" appMapping="/app" {
                         "force" = "true"
                     } )
                     .get();
-                expect( res.getRequest().getFullUrl() ).toBeWithCase( "https://jsonplaceholder.typicode.com/posts?force=true&fwreinit=true&userId=1" );
+                expect( res.getRequest().getFullUrl( withQueryString = true ) )
+                    .toBeWithCase( "https://jsonplaceholder.typicode.com/posts?force=true&fwreinit=true&userId=1" );
             } );
 
             it( "has access to the original HyperRequest in the HyperResponse", function() {
