You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the second example, the first decode makes it "a%20b" and the second decode turns it into "a b". This makes it impossible to reliably determine what the original input was.
To give a bit of context, we pass S3 filenames as route parameters. These filenames are defined by end users. One particular file is named with a literal %20 in it, so our route parameter contains %2520. In the controller, the double urldecoding makes it a literal space which causes the request to S3 to come back with a 404.
composer.lock shows laravel/framework is at v5.2.39. Sorry I can't investigate further and provide a pull request - I found this as part of my day job so I can't let myself get distracted with fixing framework bugs...
The text was updated successfully, but these errors were encountered:
In a fresh Laravel installation, I've added this to my routes file:
http://localhost/test/a%20b - outputs "a b" as expected
http://localhost/test/a%2520b - outputs "a b" - expected "a%20b"
http://localhost/test/a%252520b - outputs "a%20b" - expected "a%2520b"
In the second example, the first decode makes it "a%20b" and the second decode turns it into "a b". This makes it impossible to reliably determine what the original input was.
To give a bit of context, we pass S3 filenames as route parameters. These filenames are defined by end users. One particular file is named with a literal %20 in it, so our route parameter contains %2520. In the controller, the double urldecoding makes it a literal space which causes the request to S3 to come back with a 404.
composer.lock shows laravel/framework is at v5.2.39. Sorry I can't investigate further and provide a pull request - I found this as part of my day job so I can't let myself get distracted with fixing framework bugs...
The text was updated successfully, but these errors were encountered: