The Wayback Machine - https://web.archive.org/web/20201112101809/https://github.com/playframework/playframework/pull/10370
Skip to content

/ playframework

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QueryStringBindable.unbind(): Do-do-do URLEncode for all queryString keys! #10370

Open
wants to merge 1 commit into
base: master
from
Open

QueryStringBindable.unbind(): Do-do-do URLEncode for all queryString keys! #10370

wants to merge 1 commit into from

Conversation

@helllamer
Copy link

@helllamer helllamer commented Jul 1, 2020
edited

Fixes #10369 - Let's DO URLEncode.encode() for all queryString keys in QSB.unbind().
Unify unbind() behaviour over all query-string binders.

Currently, different binders handle qs-keys differently (look at res3):

$ sbt console
import play.api.mvc.QueryStringBindable

scala> QueryStringBindable.bindableChar.unbind( "items[1]", '1' )
val res1: String = items[1]=1

scala> QueryStringBindable.bindableInt.unbind( "items[1]", 1 )
val res2: String = items[1]=1

scala> QueryStringBindable.bindableString.unbind( "items[1]", "1" )
val res3: String = items%5B1%5D=1

scala> QueryStringBindable.bindableDouble.unbind( "items[1]", 1 )
val res4: String = items[1]=1.0

Special characters like [, ] and others MUST be Form-URL-encoded according to RFC.
Added documentation about applying URLEncode for handy-implemented unbinders.
Added tests for several common types of QueryStringBindables.

Pull Request Checklist

Helpful things

Fixes

Fixes #10369
@mkurz
mkurz reviewed Jul 1, 2020
View changes
core/play/src/test/scala/play/api/mvc/BindersSpec.scala Outdated Show resolved Hide resolved
@helllamer helllamer force-pushed the suggestio:master branch from ab791ab to 78e5984 Jul 1, 2020
@helllamer helllamer changed the title Binders.bindableString.unbind(): Do not URLEncode qs-keys. QueryStringBindable.unbind(): Do-do-do URLEncode for all queryString keys! Jul 1, 2020
@helllamer
Copy link
Author

@helllamer helllamer commented Jul 1, 2020
edited

PR has been rewritten from scratch.
Now, all qs-binders using URLEncode.encode() against all queryString keys.
Tests extended.
Documentation extended.
@helllamer helllamer force-pushed the suggestio:master branch 7 times, most recently from 8fea400 to e2a1171 Jul 1, 2020
@ihostage
ihostage reviewed Jul 1, 2020
View changes
core/play/src/main/scala/play/api/mvc/Binders.scala
@@ -309,8 +319,7 @@ object QueryStringBindable {

// Use an option here in case users call index(null) in the routes -- see #818
def unbind(key: String, value: String) =
URLEncoder.encode(Option(key).getOrElse(""), "utf-8") + "=" + URLEncoder
.encode(Option(value).getOrElse(""), "utf-8")
_urlEncode(key) + "=" + Option(value).fold("")(_urlEncode)

This comment has been minimized.

Sign in to view
@ihostage

ihostage Jul 1, 2020
Member

Why Option dropped for key? 🤔 He is no longer needed?

This comment has been minimized.

Sign in to view
@helllamer

helllamer Jul 1, 2020
Author

Possibly, it never needed.
Option(key).getOrElse() added year ago in #9403 (diff) during fixing URLEncode for values.

  • In Binders.scala there are no Option(key) for any other binders (Char, Long, Int, UUID, etc).
  • There are zero tests for such behavior, where parsed queryString contains null keys with String-only values.
  • Generated Router.scala can't pass nulls as parameter names.
  • null as keys in scala Map[String,_] must always throw NPE. It indicates serious problem in somewhere outer logic.

This comment has been minimized.

Sign in to view
@helllamer

helllamer Jul 1, 2020
edited
Author

@ihostage Этот Option(key) появился, т.к. код поддержки URLEncode просто скопипастили из value-кода в той же строке. Для value действительно нужен Option(), о чём в комменте там выше написано.

This comment has been minimized.

Sign in to view
@ihostage

ihostage Jul 2, 2020
Member

Ok 👌

@helllamer
Copy link
Author

@helllamer helllamer commented Jul 15, 2020

@mkurz @ihostage I don't understand, is reviews completed ok? Is it time to remove status:block-merge flag?
@ihostage
Copy link
Member

@ihostage ihostage commented Jul 15, 2020

@helllamer Sorry, I'm not a maintainer and can't edit PR 🤷‍♂️
@mkurz
Copy link
Member

@mkurz mkurz commented Jul 21, 2020
edited

Sorry, I am too busy these days... Maybe @ignasi35 and/or @renatocaval can review?
@helllamer helllamer force-pushed the suggestio:master branch from e2a1171 to 85f133e Jul 23, 2020
@mkurz mkurz added this to the Play 2.9.0 milestone Sep 2, 2020
@helllamer
QueryStringBindables.unbind(): Do URLEncode qs-keys always.
Loading status checks…
03539bd 
Added docs for safety implementing own custom QSBs.
Tests for several other QSB implementations.
Fixes #10369
@helllamer helllamer force-pushed the suggestio:master branch from 85f133e to 03539bd Sep 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkurz mkurz

@ihostage ihostage

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
status:block-merge
Projects
None yet
Milestone
2.9.0
Linked issues

Successfully merging this pull request may close these issues.

QueryStringBindable.bindableString.unbind() produces URL-encoded keys, other binders - don't
3 participants
@helllamer @ihostage @mkurz
You can’t perform that action at this time.