From 463dfbf4fe4286a46c220612debf5f181e98f7b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Wed, 19 Apr 2023 21:10:34 -0700
Subject: [PATCH] Fix incorrect parameter encoding when using URLs rewriting

A parameter with quotes or other special characters should be url encoded.

Incorrect encoding could happen when using search queries like this one:

modified:">=2023-04-01"
---
 app/Core/Http/Route.php             | 3 ++-
 tests/units/Core/Http/RouteTest.php | 9 +++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/Core/Http/Route.php b/app/Core/Http/Route.php
index 3d9eaeaaa..c28087dc4 100644
--- a/app/Core/Http/Route.php
+++ b/app/Core/Http/Route.php
@@ -101,7 +101,7 @@ class Route extends Base
 
                 for ($i = 0; $i < $count; $i++) {
                     if ($route['items'][$i][0] === ':') {
-                        $params[substr($route['items'][$i], 1)] = $items[$i];
+                        $params[substr($route['items'][$i], 1)] = urldecode($items[$i]);
                     } elseif ($route['items'][$i] !== $items[$i]) {
                         break;
                     }
@@ -152,6 +152,7 @@ class Route extends Base
                 $i = 0;
 
                 foreach ($params as $variable => $value) {
+                    $value = urlencode($value);
                     $url = str_replace(':'.$variable, $value, $url);
                     $i++;
                 }
diff --git a/tests/units/Core/Http/RouteTest.php b/tests/units/Core/Http/RouteTest.php
index 869209706..30a32619e 100644
--- a/tests/units/Core/Http/RouteTest.php
+++ b/tests/units/Core/Http/RouteTest.php
@@ -55,6 +55,14 @@ class RouteTest extends Base
 
         $this->assertEquals('v1', $this->container['request']->getStringParam('p1'));
         $this->assertEquals('v2', $this->container['request']->getStringParam('p2'));
+
+        $route->addRoute('/search/:query', 'searchcontroller', 'searchaction');
+        $this->assertEquals(
+            array('controller' => 'searchcontroller', 'action' => 'searchaction', 'plugin' => ''),
+            $route->findRoute('/search/modified%3A%22%3E%3D2023-04-01%22')
+        );
+
+        $this->assertEquals('modified:">=2023-04-01"', $this->container['request']->getStringParam('query'));
     }
 
     public function testFindUrl()
@@ -76,5 +84,6 @@ class RouteTest extends Base
         $this->assertEquals('something', $route->findUrl('controller1', 'action1', array(), 'myplugin'));
         $this->assertEquals('foo/123', $route->findUrl('controller1', 'action3', array('myvar' => 123), 'myplugin'));
         $this->assertEquals('foo/123', $route->findUrl('controller1', 'action3', array('myvar' => 123, 'plugin' => 'myplugin')));
+        $this->assertEquals('foo/modified%3A%22%3E%3D2023-04-01%22', $route->findUrl('controller1', 'action3', array('myvar' => 'modified:">=2023-04-01"', 'plugin' => 'myplugin')));
     }
 }