www: avoid misinterpreting '&' and ';' in query parameters

Oops, we must unescape each key=value pair in a QUERY_STRING individually; otherwise we cannot interpret '&' or ';' in query parameter values.
author: Eric Wong <e@80x24.org> 2016-08-09 01:55:19 +0000
committer: Eric Wong <e@80x24.org> 2016-08-09 01:55:19 +0000
commit: 414d67298d830bec7fd4241b30283e08faa3222d (patch)
tree: bae866dd2fb9f2654fb3bf9fbd1e3d7b7d50c80a /lib/PublicInbox/WWW.pm
parent: 200fb98dd5d5f81344e9ab732d2c7ee3f92203e1 (diff)
download: public-inbox-414d67298d830bec7fd4241b30283e08faa3222d.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index 26cd571c..60cb4430 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -41,11 +41,11 @@ sub call {
  
          # we don't care about multi-value
          my %qp = map {
-                my ($k, $v) = split('=', $_, 2);
+                my ($k, $v) = split('=', uri_unescape($_), 2);
                  $v = '' unless defined $v;
                  $v =~ tr/+/ /;
                  ($k, $v)
-        } split(/[&;]/, uri_unescape($env->{QUERY_STRING}));
+        } split(/[&;]/, $env->{QUERY_STRING});
          $ctx->{qp} = \%qp;
  
          my $path_info = $env->{PATH_INFO};
author	Eric Wong <e@80x24.org>	2016-08-09 01:55:19 +0000
committer	Eric Wong <e@80x24.org>	2016-08-09 01:55:19 +0000
commit	414d67298d830bec7fd4241b30283e08faa3222d (patch)
tree	bae866dd2fb9f2654fb3bf9fbd1e3d7b7d50c80a /lib/PublicInbox/WWW.pm
parent	200fb98dd5d5f81344e9ab732d2c7ee3f92203e1 (diff)
download	public-inbox-414d67298d830bec7fd4241b30283e08faa3222d.tar.gz