rwf2
/
Rocket
mirror of https://github.com/rwf2/Rocket.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix decoding from form values: replace `+` with ` ` before percent decode

This commit is contained in:
Liigo Zhuang 2016-12-30 13:57:37 +08:00
parent f43f77dbfc
commit 8f97671d50
3 changed files with 13 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
examples/forms/src/main.rs
View File

@ -12,7 +12,7 @@ use rocket::response::Redirect;
#[derive(FromForm)] #[derive(FromForm)]
struct UserLogin<'r> { struct UserLogin<'r> {
username: &'r str, username: &'r str,
password: &'r str, password: String, // use String here to apply form url decoding
age: Result<usize, &'r str>, age: Result<usize, &'r str>,
} }
@ -27,10 +27,12 @@ fn login<'a>(user_form: Form<'a, UserLogin<'a>>) -> Result<Redirect, String> {
}; };
if user.username == "Sergio" { if user.username == "Sergio" {
match user.password { match user.password.as_str() {
"password" => Ok(Redirect::to("/user/Sergio")), "password" => Ok(Redirect::to("/user/Sergio")),
_ => Err("Wrong password!".to_string()) _ => Err("Wrong password!".to_string())
} }
} else if user.username == "print_passsword" {
Err(format!("{}", user.password))
} else { } else {
Err(format!("Unrecognized user, '{}'.", user.username)) Err(format!("Unrecognized user, '{}'.", user.username))
} }

7
examples/forms/src/tests.rs
View File

@ -13,7 +13,7 @@ fn test_login(username: &str, password: &str, age: isize, status: Status,
let mut response = req.dispatch_with(&rocket); let mut response = req.dispatch_with(&rocket);
let body_str = response.body().and_then(|body| body.into_string()); let body_str = response.body().and_then(|body| body.into_string());
println!("Checking: {:?}/{:?}", username, password); println!("Checking: {:?}/{:?}/{:?}/{:?}", username, password, age, body_str);
assert_eq!(response.status(), status); assert_eq!(response.status(), status);
if let Some(string) = body { if let Some(string) = body {
@ -35,6 +35,11 @@ fn test_bad_login() {
test_login("Sergio", "jk", -100, OK, Some("'-100' is not a valid integer.")); test_login("Sergio", "jk", -100, OK, Some("'-100' is not a valid integer."));
test_login("Sergio", "ok", 30, OK, Some("Wrong password!")); test_login("Sergio", "ok", 30, OK, Some("Wrong password!"));
test_login("Mike", "password", 30, OK, Some("Unrecognized user, 'Mike'.")); test_login("Mike", "password", 30, OK, Some("Unrecognized user, 'Mike'."));
// request parameters are url-encoded (normally by browser)
test_login("print_passsword", "password", 100, OK, Some("password"));
test_login("print_passsword", "1+1", 100, OK, Some("1 1"));
test_login("print_passsword", "1%2B1", 100, OK, Some("1+1"));
test_login("print_passsword", "%3Fa%3D1%26b%3D2", 100, OK, Some("?a=1&b=2"));
} }
#[test] #[test]

16
lib/src/request/form/from_form_value.rs
View File

@ -73,21 +73,11 @@ impl<'v> FromFormValue<'v> for String {
// This actually parses the value according to the standard. // This actually parses the value according to the standard.
fn from_form_value(v: &'v str) -> Result<Self, Self::Error> { fn from_form_value(v: &'v str) -> Result<Self, Self::Error> {
let result = URI::percent_decode(v.as_bytes()); let replaced = v.replace("+", " "); // keep `v` as is, so we may return it
let result = URI::percent_decode(replaced.as_bytes());
match result { match result {
Err(_) => Err(v), Err(_) => Err(v),
Ok(mut string) => Ok({ Ok(string) => Ok(string.into_owned())
// Entirely safe because we're changing the single-byte '+'.
unsafe {
for c in string.to_mut().as_mut_vec() {
if *c == b'+' {
*c = b' ';
}
}
}
string.into_owned()
})
} }
} }
} }