Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

header.location in Redirects is Double-Encoded in Nuxt v3.12.1 #27554

Open
Wulawa opened this issue Jun 12, 2024 · 9 comments · May be fixed by #27822
Open

header.location in Redirects is Double-Encoded in Nuxt v3.12.1 #27554

Wulawa opened this issue Jun 12, 2024 · 9 comments · May be fixed by #27822
Labels
3.x bug ❗ p4-important

Comments

@Wulawa
Copy link

Wulawa commented Jun 12, 2024
edited
Loading

Environment

  • Operating System: Darwin
  • Node Version: v21.7.3
  • Nuxt Version: 3.12.1
  • CLI Version: 3.12.0
  • Nitro Version: 2.9.6
  • Package Manager: pnpm@9.1.4
  • Builder: -
  • User Config: app, srcDir, devtools, modules, i18n, css, pinia, imports, nitro, runtimeConfig, vue, vite, build
  • Runtime Modules: @pinia/nuxt@0.5.1, @vant/nuxt@1.0.4, @nuxtjs/i18n@8.3.1, nuxt-swiper@1.2.2
  • Build Modules: -

Reproduction

  1. Set up a Nuxt project with the latest version.
  2. Implement a redirection in your server middleware or a page, where the redirection URL contains another URL as a query parameter. For example:
navigateTo('https://example.com/?redirect='+encodeURIComponent('https://anotherexample.com/?param=value'), {
	external: true,
});
  1. Observe the redirection behavior in the browser or using a tool like curl.

Describe the bug

In the latest version of Nuxt, it appears that the header.location in the redirects is being encoded using encodeURI. This causes issues when the redirection URL contains another URL as a query parameter. The nested URL gets encoded multiple times, resulting in a failed redirection.

Additional context

No response

Logs

No response
@danielroe
Copy link
Member

cc: @huang-julien

@huang-julien
Copy link
Member

Do you have a minimal reproduction please ? At first, it looks like this is due to the revert we made in nuxt 3.12. Nuxt encode the location header when redirecting in SSR

@github-actions GitHub Actions
Copy link
Contributor

Would you be able to provide a reproduction? 🙏

More info

Why do I need to provide a reproduction?

Reproductions make it possible for us to triage and fix issues quickly with a relatively small team. It helps us discover the source of the problem, and also can reveal assumptions you or we might be making.

What will happen?

If you've provided a reproduction, we'll remove the label and try to reproduce the issue. If we can, we'll mark it as a bug and prioritize it based on its severity and how many people we think it might affect.

If needs reproduction labeled issues don't receive any substantial activity (e.g., new comments featuring a reproduction link), we'll close them. That's not because we don't care! At any point, feel free to comment with a reproduction and we'll reopen it.

How can I create a reproduction?

We have a couple of templates for starting with a minimal reproduction:

👉 https://stackblitz.com/github/nuxt/starter/tree/v3-stackblitz
👉 https://codesandbox.io/s/github/nuxt/starter/v3-codesandbox

A public GitHub repository is also perfect. 👌

Please ensure that the reproduction is as minimal as possible. See more details in our guide.

You might also find these other articles interesting and/or helpful:

@Wulawa
Copy link
Author

Wulawa commented Jun 13, 2024

Do you have a minimal reproduction please ? At first, it looks like this is due to the revert we made in nuxt 3.12. Nuxt encode the location header when redirecting in SSR

@huang-julien
https://stackblitz.com/edit/github-lfphyg?file=app.vue
This example, redirect parameter is Double-Encoded but if i don't use encodeURIComponent, the hash is lost.

@sumomo015
Copy link

I had the same issue. Here is a minimal reproduction.
https://stackblitz.com/edit/github-obvyf4-uwozwd?file=pages%2Findex.vue

path should be /redirected?redirect_to=%2Ftest, but it was /redirected?redirect_to=%252Ftest

danielroe added a commit that referenced this issue Jun 15, 2024
@danielroe
fix(nuxt): do not uri-encode location header
21a273f 
resolves #27554
danielroe added a commit that referenced this issue Jun 15, 2024
@danielroe
fix(nuxt): do not uri-encode location header
95d0734 
resolves #27554
@danielroe danielroe mentioned this issue Jun 15, 2024
Closed
@amandesai01
Copy link
Contributor

Facing same issue. Works fine with 3.11.2 and breaks in 3.12.1 (next release).

@amandesai01
Copy link
Contributor

amandesai01 commented Jun 17, 2024
edited
Loading

From discussion, it seems that this is rather h3 issue. However, I can see that both the versions use exact same h3 version. How is this possible? just curious.

@danielroe danielroe mentioned this issue Jun 20, 2024
Closed
@markbrouch
Copy link

I am also encountering this issue after upgrading from 3.11.2 to 3.12.2. Our authentication server already encodes a query string param for a redirect URI which after 3.12.2 becomes doubly encoded and breaks the redirect parsing.

I suggest this change to be reverted, as this is a breaking change in the 3.12 minor release: https://github.com/nuxt/nuxt/blame/f2868f8c72320009e4502f97456b13f77c6b0322/packages/nuxt/src/app/composables/router.ts#L172

@deleteme
Copy link

Echoing the impact of this bug:

Redirections to external urls are currently broken, if they include parameters that are already encoded. This is common when dealing with authentication redirects.

Also, this seems like a big blind spot in test coverage.

@danielroe danielroe linked a pull request Jun 25, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3.x bug ❗ p4-important
Projects
None yet
Milestone
No milestone
7 participants
@deleteme @markbrouch @Wulawa @danielroe @amandesai01 @huang-julien @sumomo015