diff options
| author | Kenneth Hsu <kennethhsu@gmail.com> | 2020-08-23 23:58:34 +0300 |
|---|---|---|
| committer | Kenneth Hsu <kennethhsu@gmail.com> | 2020-08-24 17:41:00 +0300 |
| commit | d4d7874aaf873075e73939a824d4a5559030eda3 (patch) | |
| tree | 7b670fe63907b30789acb7a238fa3a45721ae572 /Duplicati/Server | |
| parent | bcaedebecd1f47b22c4fdec25805667165dd4ad7 (diff) | |
Avoid decoding URL parameters when removing passwords.
In revision c41f2c6a60 ("moved all sanitization logic into backup class
and moved from regex to using internal Uri library"), we cleaned up the
removal of passwords from an exported backup configuration. However,
the use of Uri.QueryParameters resulted in exporting decoded parameter
values, which violated some assumptions made by the decode_uri function
in AppUtils.js. This caused usernames in the JSON to contain '@'
instead of '%40', which led to incorrect decomposition of the target URL
into its components in the UI.
This concerns issue #3619.
Diffstat (limited to 'Duplicati/Server')
| -rw-r--r-- | Duplicati/Server/Database/Backup.cs | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/Duplicati/Server/Database/Backup.cs b/Duplicati/Server/Database/Backup.cs index 962fb1081..117253942 100644 --- a/Duplicati/Server/Database/Backup.cs +++ b/Duplicati/Server/Database/Backup.cs @@ -18,6 +18,7 @@ using System;
using Duplicati.Server.Serialization.Interface;
using System.Collections.Generic;
+using System.Collections.Specialized;
using System.Linq;
namespace Duplicati.Server.Database
@@ -121,11 +122,19 @@ namespace Duplicati.Server.Database public void SanitizeTargetUrl()
{
var url = new Duplicati.Library.Utility.Uri(this.TargetURL);
- var filteredParameters = url.QueryParameters;
- foreach (string field in UrlPasswords) {
- filteredParameters.Remove(field);
+ NameValueCollection filteredParameters = new NameValueCollection();
+ if (url.Query != null)
+ {
+ // We cannot use url.QueryParameters since it contains decoded parameter values, which
+ // breaks assumptions made by the decode_uri function in AppUtils.js. Since we are simply
+ // removing password parameters, we will leave the parameters as they are in the target URL.
+ filteredParameters = Library.Utility.Uri.ParseQueryString(url.Query, false);
+ foreach (string field in this.UrlPasswords)
+ {
+ filteredParameters.Remove(field);
+ }
}
- url = url.SetQuery(Duplicati.Library.Utility.Uri.BuildUriQuery(url.QueryParameters));
+ url = url.SetQuery(Duplicati.Library.Utility.Uri.BuildUriQuery(filteredParameters));
this.TargetURL = url.ToString();
}
|