From: Eric Wong <e@80x24.org>
Date: Tue, 9 Aug 2016 01:55:19 +0000 (+0000)
Subject: www: avoid misinterpreting '&' and ';' in query parameters
X-Git-Tag: v1.0.0~243
X-Git-Url: http://www.git.stargrave.org/?a=commitdiff_plain;h=414d67298d830bec7fd4241b30283e08faa3222d;p=public-inbox.git

www: avoid misinterpreting '&' and ';' in query parameters

Oops, we must unescape each key=value pair in a QUERY_STRING
individually; otherwise we cannot interpret '&' or ';' in
query parameter values.
---

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index 26cd571c..60cb4430 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -41,11 +41,11 @@ sub call {
 
 	# we don't care about multi-value
 	my %qp = map {
-		my ($k, $v) = split('=', $_, 2);
+		my ($k, $v) = split('=', uri_unescape($_), 2);
 		$v = '' unless defined $v;
 		$v =~ tr/+/ /;
 		($k, $v)
-	} split(/[&;]/, uri_unescape($env->{QUERY_STRING}));
+	} split(/[&;]/, $env->{QUERY_STRING});
 	$ctx->{qp} = \%qp;
 
 	my $path_info = $env->{PATH_INFO};