Merge pull request #624 from luraproject/reject_reserved_chars_in_params

reject requests with special chars in the params
luraproject · Nov 17, 2022 · 974703c · 974703c
2 parents acf6b01 + 1ec59bb
commit 974703c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/router/gin/engine.go b/router/gin/engine.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/textproto"
 	"net/url"
+	"strings"
 	"sync"
 	"time"
 
@@ -130,7 +131,7 @@ func paramChecker() gin.HandlerFunc {
 				c.AbortWithStatus(http.StatusBadRequest)
 				return
 			}
-			if s != param.Value {
+			if s != param.Value || strings.Contains(s, "?") || strings.Contains(s, "#") {
 				c.String(http.StatusBadRequest, "error: encoded url params")
 				c.AbortWithStatus(http.StatusBadRequest)
 				return