Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

404 error - URL encoded query string fails to pass correctly if it includes a urlencoded forward slash #35614

Closed
securit opened this issue Dec 15, 2020 · 1 comment
Closed

404 error - URL encoded query string fails to pass correctly if it includes a urlencoded forward slash #35614

securit opened this issue Dec 15, 2020 · 1 comment

Comments

@securit
Copy link

securit commented Dec 15, 2020
edited
Loading

  • Laravel Version: 8.18.1
  • PHP Version: 7.4.13
  • Database Driver & Version: PGSQL v13 on Laravel Forge

Description:

An HTTP Get route that includes a URL encoded string with %2F in the string is incorrectly interpreted as a '/' resulting in a 404 error.

Steps To Reproduce:

In routes/web.php

Route::get('/test/{cryptString}/{crypt2String?}', function ($cryptString,$crypt2String) {
   dump ($cryptString);
   if($crypt2String){
       dump ($crypt2String);
   }
});

Then if your site is local.test... visit the URL https://local.test/ThisShouldAllBe%2FOneString.

Actual Result will be::

^ "ThisShouldAllBe"
^ "OneString"

Expected Result would be:

^ "ThisShouldAllBe%2FOneString"
^ ""

Why is this important?
(a) URL encoding should be safe and not intepret the %2F as a /
(b) Encoded and encrypted data cannot be effectively passed. An example of this is a button that is to be pressed from within a toMail() notification.

$urlOrderString = urlencode(Hash::make($this->order->order_number) . Crypt::encryptString(serialize(['order_id' => $this->order->id, 'team_id' => $notifiable->id])));
$processURL = route('mail.order_fulfilled', $urlOrderString);

...

return (new MailMessage)
            ->subject(Lang::get('New order # :Order_no :From', ['Order_no' => $this->order->order_number, 'From' => $from]))
            ->greeting(Lang::get('New Order Received.'))
//            ->line(Lang::get('Congratulations, a new order has been made! You now need to fulfill and process the order.'))
//            ->action(Lang::get('Process the order'), $process)
            ->markdown('mail.order.placed', array_filter([
                'order'      => $orderData,
                'orderURL'   => $orderURL,
                'processURL' => $processURL,
                'contactURL' => $contactURL,
                'total'      => $orderData->order_lineitems ? $orderData->order_lineitems->sum(function ($item) {
                    return $item["price"] * $item["quantity"];
                }) : null,
            ], 'strlen'));
@driesvints
Copy link
Member

See #22125

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@securit @driesvints