Fix argument uri decode order

The uri decode happens after the string is splitted, not before.
2025-08-14 05:45:59 +03:00 · 2016-06-17 15:34:06 -03:00 · 2016-06-17 15:34:06 -03:00 · c5262d54f2
commit c5262d54f2
parent dbaf79fb8e
2 changed files with 49 additions and 18 deletions
--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -254,6 +254,8 @@ bool Transaction::extractArguments(const std::string &orig,
            i++;
        }

+        key = uri_decode(key);
+        value = uri_decode(value);
        addArgument(orig, key, value);
    }
 }
@ -391,16 +393,8 @@ int Transaction::processURI(const char *uri, const char *method,
    m_collections.store("REQUEST_URI_RAW", uri);

    if (pos != std::string::npos && (m_uri_decoded.length() - pos) > 2) {
-        /**
-         * FIXME:
-         *
-         * This is configurable by secrules, we should respect whatever
-         * the secrules said about it.
-         *
-         */
-        std::string sets(m_uri_decoded, pos + 1, m_uri_decoded.length() -
-            (pos + 1));
-        extractArguments("GET", sets);
+        extractArguments("GET", std::string(uri_s, pos_raw + 1,
+            uri_s.length() - (pos_raw + 1)));
    }
    return true;
 }
@ -648,11 +642,7 @@ int Transaction::processRequestBody() {
            m_collections.storeOrUpdateFirst("REQBODY_PROCESSOR_ERROR", "0");
        }
    } else if (m_requestBodyType == WWWFormUrlEncoded) {
-        std::string content = uri_decode(m_requestBody.str());
-        if (content.empty() == false) {
-            content.pop_back();
-        }
-        extractArguments("POST", content);
+        extractArguments("POST", m_requestBody.str());
    } else {
        std::string *a = m_collections.resolveFirst(
            "REQUEST_HEADERS:Content-Type");
--- a/test/test-cases/regression/variable-ARGS_GET.json
+++ b/test/test-cases/regression/variable-ARGS_GET.json
@ -2,7 +2,7 @@
  {  
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: ARGS_GET (1/2)",
+    "title":"Testing Variables :: ARGS_GET (1/3)",
    "client":{  
      "ip":"200.249.12.31",
      "port":123
@ -40,10 +40,10 @@
      "SecRule ARGS_GET \"@contains test \" \"id:1,pass,t:trim\""
    ]
  },
-  {  
+  {
    "enabled":1,
    "version_min":300000,
-    "title":"Testing Variables :: ARGS_GET (2/2)",
+    "title":"Testing Variables :: ARGS_GET (2/3)",
    "client":{  
      "ip":"200.249.12.31",
      "port":123
@ -80,6 +80,47 @@
      "SecDebugLogLevel 9",
      "SecRule ARGS_GET \"@contains test \" \"id:1,pass,t:trim\""
    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Variables :: ARGS_GET (3/3)",
+    "client":{  
+      "ip":"200.249.12.31",
+      "port":123
+    },
+    "server":{  
+      "ip":"200.249.12.31",
+      "port":80
+    },
+    "request":{  
+      "headers":{  
+        "Host":"localhost",
+        "User-Agent":"curl/7.38.0",
+        "Accept":"*/*"
+      },
+      "uri":"/?key=value&key=other_value%26withsomestuff=tootherstuff",
+      "method":"GET"
+    },
+    "response":{  
+      "headers":{  
+        "Date":"Mon, 13 Jul 2015 20:02:41 GMT",
+        "Last-Modified":"Sun, 26 Oct 2014 22:33:37 GMT",
+        "Content-Type":"text/html"
+      },
+      "body":[  
+        "no need."
+      ]
+    },
+    "expected":{  
+      "debug_log":"Target value: \"other_value&withsomestuff=tootherstuff\""
+    },
+    "rules":[  
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecDebugLogLevel 9",
+      "SecRule ARGS_GET \"@contains test \" \"id:1,pass,t:trim\""
+    ]
  }
 ]