Closed bart-degreed closed 3 years ago
An incoming request with a query string that contains an escaped key without a value is not properly unescaped.
Example:
GET http://localhost/api/demo?fields%5BtodoItems%5D HTTP/1.1
string keys = string.Join(' ', new HttpContextAccessor().HttpContext.Request.Query.Keys); // keys: %5BtodoItems%5D
In contrast, when the query string does contain a value, it gets unescaped properly.
GET http://localhost/api/demo?fields%5BtodoItems%5D=1 HTTP/1.1
string keys = string.Join(' ', new HttpContextAccessor().HttpContext.Request.Query.Keys); // keys: [todoItems]
This bug applies to ASP.NET Core version: 3.1, 5.0 and the master branch.
The problem is caused by the next line: https://github.com/dotnet/aspnetcore/blob/52eff90fbcfca39b7eb58baad597df6a99a542b0/src/Http/WebUtilities/src/QueryHelpers.cs#L221 which does not unescape. To fix, replace this line with:
string name = queryString.Substring(scanIndex, delimiterIndex - scanIndex); accumulator.Append(Uri.UnescapeDataString(name.Replace('+', ' ')), string.Empty);
When this gets fixed, it would be great to also backport it to .NET Core 3.1 and 5.0.
I should note this problem does not repro when using WebApplicationFactory from an integration test, presumable because things are short-circuited in that case.
WebApplicationFactory
An incoming request with a query string that contains an escaped key without a value is not properly unescaped.
Example:
In contrast, when the query string does contain a value, it gets unescaped properly.
This bug applies to ASP.NET Core version: 3.1, 5.0 and the master branch.
The problem is caused by the next line: https://github.com/dotnet/aspnetcore/blob/52eff90fbcfca39b7eb58baad597df6a99a542b0/src/Http/WebUtilities/src/QueryHelpers.cs#L221 which does not unescape. To fix, replace this line with:
When this gets fixed, it would be great to also backport it to .NET Core 3.1 and 5.0.