search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.55k stars 17.61k forks source link

net/http.Request: req.URL.Query() incorrectly parsing + #65923

Closed alifemove closed 7 months ago

alifemove commented 7 months ago

Go version

go1.21.6 darwin/arm64

Output of go env in your module/workspace:

GO111MODULE='on'
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/<>/Library/Caches/go-build'
GOENV='/Users/<>/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/<>/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='darwin'
GOPATH='/Users/<>/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/<>/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.21.6.darwin-arm64'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/<>/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.21.6.darwin-arm64/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.21.6'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/<>/Documents/IndustryPlatforms/godata/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/n0/012yw6xx3lqfh_sx6dyl4j800000gq/T/go-build588417773=/tmp/go-build -gno-record-gcc-switches -fno-common'

What did you do?

When parsing query strings the req.URL.Query() seems to be incorrectly removing + potentially at url.go

var queryString = req.URL.Query()
fmt.Println(queryString)

/query?filter=ModificationTimestamp ge '2024-02-23T18:34:55+00:00'

What did you see happen?

map[filter:[(ModificationTimestamp ge '2024-02-23T18:34:55 00:00')]]

What did you expect to see?

map[filter:[(ModificationTimestamp ge '2024-02-23T18:34:55+00:00')]]
ianlancetaylor commented 7 months ago

This is expected behavior. + in a URL query string separates arguments. See https://en.wikipedia.org/wiki/Query_string.

letto4135 commented 7 months ago

@ianlancetaylor Does that include string literals then? My thinking would be that + inside the ' ' should not be messed with. Could be wrong on that, but + and - before the timezone is valid in date times so I would have thought that that would need to be supported.

ianlancetaylor commented 7 months ago

URL handling is as specified in RFC 3986. That RFC has no support for string literals or other kinds of string quoting.

To include a + in a query string, write it as %2B.