mirror of
https://gitee.com/johng/gf
synced 2026-06-06 02:25:47 +08:00
5e677a1e05
## What does this PR do? Fixes #4156 When posting form data with file upload, if a field value contains `=` or `&`, the value was being truncated. ### Example ```go data := g.Map{ "file": "@file:/path/to/file.txt", "fieldName": "aaa=1&b=2", } client.Post(ctx, "/upload", data) ``` **Expected**: Server receives `fieldName = "aaa=1&b=2"` **Actual (before fix)**: Server receives `fieldName = "aaa"` (truncated) ## Root Cause Analysis The issue was caused by three problems in the original code: ### Problem 1: Global URL encoding disable (httputils.go) ```go // Original code - PROBLEMATIC if urlEncode { for k, v := range m { if gstr.Contains(k, fileUploadingKey) || gstr.Contains(gconv.String(v), fileUploadingKey) { urlEncode = false // Disables URL encoding for ALL values! break } } } ``` When any value contained `@file:`, URL encoding was disabled for ALL values, causing `"aaa=1&b=2"` to remain unencoded. The `&` character was then treated as a parameter separator. ### Problem 2: Split on all `=` characters (gclient_request.go) ```go // Original code - PROBLEMATIC array := strings.Split(item, "=") // Splits on ALL '=' characters ``` This caused `"fieldName=aaa=1"` to be split into `["fieldName", "aaa", "1"]`. ### Problem 3: No URL decoding for field values URL-encoded values were written directly to the multipart form without decoding. ## Solution ### Fix 1: Remove global URL encoding disable Only `@file:` prefixed values are kept unencoded for file upload detection. Other values are properly URL-encoded. ### Fix 2: Use SplitN to limit split count ```go array := strings.SplitN(item, "=", 2) // Only split on first '=' ``` ### Fix 3: Add URL decoding for field values ```go if v, err := gurl.Decode(fieldValue); err == nil { fieldValue = v } ``` ## Compatibility Analysis | Scenario | Before | After | Compatible | |----------|--------|-------|------------| | Normal form POST (no file upload) | ✅ Works | ✅ Works | ✅ Yes | | File upload + normal field values | ✅ Works | ✅ Works | ✅ Yes | | File upload + field values containing `=` or `&` | ❌ Truncated | ✅ Works | ✅ Fixed | | Field value is `@file:` (no path) | ✅ Works | ✅ Works | ✅ Yes | | Field value starts with `@file:` but file doesn't exist | ❌ Error | ❌ Error | ✅ Yes | | User sends pre-encoded value like `"aaa%3D1"` | ✅ Works | ✅ Works | ✅ Yes | | Content-Type: application/json | ✅ Works | ✅ Works | ✅ Yes | | Content-Type: application/xml | ✅ Works | ✅ Works | ✅ Yes | ### Breaking Change Assessment **No breaking changes.** The fix only affects the file upload scenario where field values contain special characters (`=`, `&`). Previously this scenario was broken, now it works correctly. ### Edge Cases 1. **Literal `@file:` value**: GoFrame treats `@file:` as a special marker for file upload. This is a framework design decision and remains unchanged. 2. **URL decode failure**: If URL decoding fails (e.g., invalid `%XX` sequence), the original value is preserved. ## Test Coverage Added comprehensive tests covering: - `Test_Issue4156` - Basic fix verification - `Test_Issue4156_MultipleSpecialChars` - Multiple `=`, `&`, `%`, `+`, spaces - `Test_Issue4156_MultipleFields` - Multiple fields with special characters - `Test_Issue4156_NoFileUpload` - Normal POST without file upload - `Test_Issue4156_PreEncodedValue` - Pre-encoded values like `%3D` - `Test_Issue4156_EmptyAndSpecialValues` - Edge cases (`=` at start/end, only special chars) - `TestBuildParams_*` - httputil.BuildParams comprehensive tests All tests pass, including existing `Test_Issue3748` which tests the `@file:` marker handling. ## Files Changed - `internal/httputil/httputils.go` - Remove global URL encoding disable, adjust `@file:` condition - `internal/httputil/httputils_test.go` - Add comprehensive BuildParams tests - `net/gclient/gclient_request.go` - Use SplitN, add URL decoding - `net/gclient/gclient_z_unit_issue_test.go` - Add Issue 4156 test cases
183 lines
5.0 KiB
Go
183 lines
5.0 KiB
Go
// Copyright GoFrame Author(https://goframe.org). All Rights Reserved.
|
|
//
|
|
// This Source Code Form is subject to the terms of the MIT License.
|
|
// If a copy of the MIT was not distributed with this file,
|
|
// You can obtain one at https://github.com/gogf/gf.
|
|
|
|
package httputil_test
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/gogf/gf/v2/frame/g"
|
|
"github.com/gogf/gf/v2/internal/httputil"
|
|
"github.com/gogf/gf/v2/test/gtest"
|
|
"github.com/gogf/gf/v2/text/gstr"
|
|
)
|
|
|
|
func TestBuildParams(t *testing.T) {
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"a": "1",
|
|
"b": "2",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
t.Assert(gstr.Contains(params, "a=1"), true)
|
|
t.Assert(gstr.Contains(params, "b=2"), true)
|
|
})
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"a": "1",
|
|
"b": nil,
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
t.Assert(gstr.Contains(params, "a=1"), true)
|
|
t.Assert(gstr.Contains(params, "b="), false)
|
|
t.Assert(gstr.Contains(params, "b"), false)
|
|
})
|
|
}
|
|
|
|
// https://github.com/gogf/gf/issues/4023
|
|
func TestIssue4023(t *testing.T) {
|
|
gtest.C(t, func(t *gtest.T) {
|
|
type HttpGetRequest struct {
|
|
Key1 string `json:"key1"`
|
|
Key2 string `json:"key2,omitempty"`
|
|
}
|
|
r := &HttpGetRequest{
|
|
Key1: "value1",
|
|
}
|
|
params := httputil.BuildParams(r)
|
|
t.Assert(params, "key1=value1")
|
|
})
|
|
}
|
|
|
|
// TestBuildParams_SpecialCharacters tests URL encoding of special characters.
|
|
func TestBuildParams_SpecialCharacters(t *testing.T) {
|
|
// Test special characters are properly URL encoded.
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"key": "value=with=equals",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// = should be encoded as %3D
|
|
t.Assert(gstr.Contains(params, "key=value%3Dwith%3Dequals"), true)
|
|
})
|
|
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"key": "value&with&ersand",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// & should be encoded as %26
|
|
t.Assert(gstr.Contains(params, "key=value%26with%26ampersand"), true)
|
|
})
|
|
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"key": "value with spaces",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// space should be encoded as + or %20
|
|
t.Assert(gstr.Contains(params, "key=value") && gstr.Contains(params, "with") && gstr.Contains(params, "spaces"), true)
|
|
})
|
|
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"key": "value%percent",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// % should be encoded as %25
|
|
t.Assert(gstr.Contains(params, "key=value%25percent"), true)
|
|
})
|
|
}
|
|
|
|
// TestBuildParams_FileUploadMarker tests that @file: prefix is not URL encoded.
|
|
func TestBuildParams_FileUploadMarker(t *testing.T) {
|
|
// Test @file: with path is not encoded.
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"file": "@file:/path/to/file.txt",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// @file: should NOT be encoded
|
|
t.Assert(gstr.Contains(params, "file=@file:/path/to/file.txt"), true)
|
|
})
|
|
|
|
// Test @file: without path is not encoded.
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"name": "@file:",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// @file: alone should NOT be encoded
|
|
t.Assert(gstr.Contains(params, "name=@file:"), true)
|
|
})
|
|
|
|
// Test @file: with path does not affect other fields encoding.
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"file": "@file:/path/to/file.txt",
|
|
"field": "value=1&b=2",
|
|
}
|
|
params := httputil.BuildParams(data)
|
|
// @file: should NOT be encoded
|
|
t.Assert(gstr.Contains(params, "@file:/path/to/file.txt"), true)
|
|
// Other field's special characters SHOULD be encoded
|
|
t.Assert(gstr.Contains(params, "field=value%3D1%26b%3D2"), true)
|
|
})
|
|
}
|
|
|
|
// TestBuildParams_NoUrlEncode tests the noUrlEncode parameter.
|
|
func TestBuildParams_NoUrlEncode(t *testing.T) {
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"key": "value=1&b=2",
|
|
}
|
|
// With noUrlEncode = true, special characters should NOT be encoded.
|
|
params := httputil.BuildParams(data, true)
|
|
t.Assert(gstr.Contains(params, "key=value=1&b=2"), true)
|
|
})
|
|
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := g.Map{
|
|
"key": "value=1&b=2",
|
|
}
|
|
// With noUrlEncode = false (default), special characters SHOULD be encoded.
|
|
params := httputil.BuildParams(data, false)
|
|
t.Assert(gstr.Contains(params, "key=value%3D1%26b%3D2"), true)
|
|
})
|
|
}
|
|
|
|
// TestBuildParams_StringInput tests string input is returned as-is.
|
|
func TestBuildParams_StringInput(t *testing.T) {
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := "key=value&key2=value2"
|
|
params := httputil.BuildParams(data)
|
|
t.Assert(params, "key=value&key2=value2")
|
|
})
|
|
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := []byte("key=value&key2=value2")
|
|
params := httputil.BuildParams(data)
|
|
t.Assert(params, "key=value&key2=value2")
|
|
})
|
|
}
|
|
|
|
// TestBuildParams_SliceInput tests slice input.
|
|
func TestBuildParams_SliceInput(t *testing.T) {
|
|
gtest.C(t, func(t *gtest.T) {
|
|
data := []any{g.Map{"a": "1", "b": "2"}}
|
|
params := httputil.BuildParams(data)
|
|
t.Assert(gstr.Contains(params, "a=1"), true)
|
|
t.Assert(gstr.Contains(params, "b=2"), true)
|
|
})
|
|
|
|
gtest.C(t, func(t *gtest.T) {
|
|
// Empty slice
|
|
data := []any{}
|
|
params := httputil.BuildParams(data)
|
|
t.Assert(params, "")
|
|
})
|
|
}
|