From e093da01dcefac72502b4fa0c8375760cf98934e Mon Sep 17 00:00:00 2001
From: Roland Reichwein <mail@reichwein.it>
Date: Sun, 19 Apr 2020 18:17:48 +0200
Subject: Bugfix: urldecode

---
 plugins/webbox/webbox.cpp | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

(limited to 'plugins')

diff --git a/plugins/webbox/webbox.cpp b/plugins/webbox/webbox.cpp
index 3cfd616..7d15ee9 100644
--- a/plugins/webbox/webbox.cpp
+++ b/plugins/webbox/webbox.cpp
@@ -30,6 +30,7 @@ namespace {
  static const std::string PROGRAMVERSION{"Webbox 2.0"};
  static const std::string DOWNLOAD_FILENAME{"webbox-download.zip"};
 
+ // TODO: separate out
  class Tempfile
  {
   fs::path m_path;
@@ -65,6 +66,36 @@ namespace {
   { "500", "Internal Server Error" }
  };
 
+ std::string urlDecode(std::string s)
+ {
+  std::string result;
+
+  size_t pos = 0;
+  while (pos < s.size()) {
+   char c {s[pos]};
+   if (c == '+') {
+    result += ' ';
+   } else if (c == '%' && pos + 2 < s.size()) {
+    try {
+     int i = stoi(s.substr(pos + 1, 2), 0, 16);
+     if (i < 0 || i > 255)
+      return result;
+
+     result += static_cast<char>(i);
+    } catch (...) {
+     return result;
+    }
+
+    pos += 2;
+   } else {
+    result += c;
+   }
+   pos++;
+  }
+
+  return result;
+ }
+
  std::unordered_map<std::string, std::string> ParseQueryString(std::string s)
  {
   std::unordered_map<std::string, std::string> result;
@@ -75,7 +106,7 @@ namespace {
    for (auto i: list) {
     pos = i.find('=');
     if (pos != i.npos) {
-     result[i.substr(0, pos)] = i.substr(pos + 1);
+     result[urlDecode(i.substr(0, pos))] = urlDecode(i.substr(pos + 1));
     }
    }
   }
@@ -145,7 +176,7 @@ public:
   }
 
   // Set parameters from FastCGI request environment
-  m_pathInfo = p.m_GetRequestParam("rel_target");
+  m_pathInfo = urlDecode(p.m_GetRequestParam("rel_target"));
   size_t pos {m_pathInfo.find('?')};
   if (pos != m_pathInfo.npos) {
    m_pathInfo = m_pathInfo.substr(0, pos);
-- 
cgit v1.2.3