-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QueryStringBindable.unbind(): Do-do-do URLEncode for all queryString keys! #10370
Conversation
PR has been rewritten from scratch. |
8fea400
to
e2a1171
Compare
@@ -309,8 +319,7 @@ object QueryStringBindable { | |||
|
|||
// Use an option here in case users call index(null) in the routes -- see #818 | |||
def unbind(key: String, value: String) = | |||
URLEncoder.encode(Option(key).getOrElse(""), "utf-8") + "=" + URLEncoder | |||
.encode(Option(value).getOrElse(""), "utf-8") | |||
_urlEncode(key) + "=" + Option(value).fold("")(_urlEncode) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why Option
dropped for key
? 🤔 He is no longer needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly, it never needed.
Option(key).getOrElse()
added year ago in #9403 (diff) during fixing URLEncode
for values.
- In
Binders.scala
there are noOption(key)
for any other binders (Char, Long, Int, UUID, etc). - There are zero tests for such behavior, where parsed queryString contains null keys with String-only values.
- Generated
Router.scala
can't passnull
s as parameter names. null
as keys in scalaMap[String,_]
must alwaysthrow NPE
. It indicates serious problem in somewhere outer logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ihostage Этот Option(key) появился, т.к. код поддержки URLEncode просто скопипастили из value-кода в той же строке. Для value
действительно нужен Option()
, о чём в комменте там выше написано.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok 👌
@helllamer Sorry, I'm not a maintainer and can't edit PR 🤷♂️ |
Sorry, I am too busy these days... Maybe @ignasi35 and/or @renatocaval can review? |
Added docs for safety implementing own custom QSBs. Tests for several other QSB implementations. Fixes playframework#10369
@helllamer I had an intense look again at this pull request and it looks good to me. Actually I think it's a necessary fix and want to include it in the next Play 2.8.8 release. However I would like to push some small fixes to your patch (documentation wording and one more test). |
@mkurz Glad to hear you. |
@Mergifyio backport 2.8.x |
Command
|
@helllamer Thanks, I pushed two commits. Let's see what Travis says. |
Command
|
QueryStringBindable.unbind(): Do-do-do URLEncode for all queryString keys! (bp #10370)
Fixes #10369 - Let's DO
URLEncode.encode()
for all queryString keys in QSB.unbind().Unify unbind() behaviour over all query-string binders.
Currently, different binders handle qs-keys differently (look at
res3
):Special characters like
[
,]
and others MUST be Form-URL-encoded according to RFC.Added documentation about applying
URLEncode
for handy-implemented unbinders.Added tests for several common types of
QueryStringBindable
s.Pull Request Checklist
Helpful things
Fixes
Fixes #10369