MongooseIM icon indicating copy to clipboard operation
MongooseIM copied to clipboard

Published 20 hours ago verified publisher icon esl

strange behaviour with ampersand in REST API /messages

Open fblackburn1 opened this issue 7 years ago • 1 comments

MongooseIM version: 2.0.1 Installed from: source Erlang/OTP version: 17 from debian Jessie

Given MongooseIM with mod_http_notification enabled When I make the following request: curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{"to": "alice@localhost", "caller": "bob@localhost", "body": "Hi Rabbit!&escape=Hello" }' 'http://localhost:8088/api/messages' Then MongooseIM make a callback with the following data: ('escape', 'Hello'), ('message', 'Hi Rabbit!'), ('receiver', 'alice'), ('author', 'bob'), ('server', 'localhost') Expected: ('message', 'Hi Rabbit!&escape=Hello'), ('receiver', 'alice'), ('author', 'bob'), ('server', 'localhost')

Workaround: escape de ampersand (&) with %26 before sending resquest

I don't know if we can reproduce this bug with the /messages from 8089, because when I use the user's api, the callback is not triggered :/. In such case, this can be a security issue. (e.i. duplicate the keys message/receiver/author/server)

fblackburn1 avatar Aug 03 '17 17:08 fblackburn1

Hi @fblackburn1

Thanks for spotting this. Someone from the team will investigate it.

fenek avatar Nov 22 '17 16:11 fenek