From 414d67298d830bec7fd4241b30283e08faa3222d Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Tue, 9 Aug 2016 01:55:19 +0000
Subject: www: avoid misinterpreting '&' and ';' in query parameters

Oops, we must unescape each key=value pair in a QUERY_STRING
individually; otherwise we cannot interpret '&' or ';' in
query parameter values.
---
 lib/PublicInbox/WWW.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/PublicInbox/WWW.pm')

diff --git a/lib/PublicInbox/WWW.pm b/lib/PublicInbox/WWW.pm
index 26cd571c..60cb4430 100644
--- a/lib/PublicInbox/WWW.pm
+++ b/lib/PublicInbox/WWW.pm
@@ -41,11 +41,11 @@ sub call {
 
 	# we don't care about multi-value
 	my %qp = map {
-		my ($k, $v) = split('=', $_, 2);
+		my ($k, $v) = split('=', uri_unescape($_), 2);
 		$v = '' unless defined $v;
 		$v =~ tr/+/ /;
 		($k, $v)
-	} split(/[&;]/, uri_unescape($env->{QUERY_STRING}));
+	} split(/[&;]/, $env->{QUERY_STRING});
 	$ctx->{qp} = \%qp;
 
 	my $path_info = $env->{PATH_INFO};
-- 
cgit v1.2.3-24-ge0c7