Fix decoding parameters in multipart/formdata

Author: thekid

ChangeLog.md

@@ -3,6 +3,11 @@ Web change log
 
 ## ?.?.? / ????-??-??
 
+* Fixed multipart/formdata field names and values decoding, these are not
+  urlencoded. Ignore the specification which states `"`, `\r` and `\n`
+  need to be escaped for consistency with PHP, see php/php-src#8206
+  (@thekid)
+
 ## 4.5.0 / 2024-09-15
 
 * Fixed issue #119: Array parameter inconsistency with multipart/formdata

src/main/php/web/Headers.class.php

@@ -157,6 +157,9 @@ protected function next($input, &$offset) {
                 throw new FormatException('Unclosed string in parameter "'.$name.'"');
               }
             } while ('\\' === $input[$p++ - 1]);
+
+            // Ignore the spec stating `"`, `\r` and `\n` should be percent-encoded for
+            // consistency with PHP, see https://github.com/php/php-src/issues/8206
             $parameters[$name]= strtr(substr($input, $offset + 1, $p - $offset - 2), ['\"' => '"']);
             $offset= $p + 1;
           } else {

src/main/php/web/io/Param.class.php

@@ -41,23 +41,23 @@ public static function from($name, $value) {
    * @throws lang.FormatException When input variable nesting level exceeded
    */
   public static function parse($name, $chunks) {
-    $encoded= '';
+    $value= '';
     foreach ($chunks as $chunk) {
-      $encoded.= $chunk;
+      $value.= $chunk;
     }
 
     // Trim leading spaces, replace '.' and ' ' inbetween with underscores, see
     // https://github.com/php/php-src/blob/php-8.4.0beta5/main/php_variables.c#L133
     if (false === ($p= strpos($name, '['))) {
-      $self= new self(urldecode(strtr(ltrim($name, ' '), '. ', '__')));
+      $self= new self(strtr(ltrim($name, ' '), '. ', '__'));
     } else if (substr_count($name, '[') <= self::$nesting) {
-      $self= new self(urldecode(strtr(ltrim(substr($name, 0, $p), ' '), '. ', '__')));
-      $self->array= urldecode(substr($name, $p));
+      $self= new self(strtr(ltrim(substr($name, 0, $p), ' '), '. ', '__'));
+      $self->array= substr($name, $p);
     } else {
       throw new FormatException('Cannot parse '.$name.' (nesting level > '.self::$nesting.')');
     }
 
-    $self->value= urldecode($encoded);
+    $self->value= $value;
     return $self;
   }
 

src/test/php/web/unittest/ParamsTest.class.php

@@ -15,8 +15,7 @@ private function params() {
     yield ['key[0][a]', [['a' => 'value']]];
     yield ['key[a]', ['a' => 'value']];
     yield ['key[a][b]', ['a' => ['b' => 'value']]];
-    yield ['key[%C3%BC]', ['ü' => 'value']];
-    yield ['key[%C3%BC]', ['ü' => 'value']];
+    yield ['key[ü]', ['ü' => 'value']];
   }
 
   /** @return iterable */
@@ -30,8 +29,6 @@ private function merge() {
       ['key.name', 'value'],
       ['color name', 'green'],
       [' price', '12.99'],
-      ['gr%c3%bcn', 'de'],
-      ['de', 'gr%c3%bcn'],
     ]];
     yield [[
       ['accepted', 'true'],
@@ -107,10 +104,18 @@ public function merging_consistent_with_parse_str($params) {
     Assert::equals($expected, $outcome);
   }
 
+  #[Test, Values(['a&b', 'a+b', 'a%5B%5Db'])]
+  public function name_used_as_is($name) {
+    Assert::equals($name, Param::parse($name, ['value'])->name());
+  }
+
+  #[Test, Values(['a&b', 'a+b', 'a%5B%5Db'])]
+  public function value_used_as_is($value) {
+    Assert::equals($value, Param::parse('key', [$value])->value());
+  }
+
   #[Test]
   public function encoded_brackets_in_offset() {
-
-    // IMO this should be ["[]" => "value"] but we'll be consistent with PHP here
-    Assert::equals(['[' => ['value']], Param::parse('key[%5B%5D]', ['value'])->value());
+    Assert::equals(['%5B%5D' => 'value'], Param::parse('key[%5B%5D]', ['value'])->value());
   }
 }