Merge pull request #20482 from Uzair-Ahmed-Shah/fix-issue-20420

Fix #20420: Prevent double decoding of file URL parameter
2026-02-08 00:21:11 +01:00 · 2025-12-13 14:22:47 +01:00 · 2025-12-13 14:22:47 +01:00 · 8b4fae0a84
commit 8b4fae0a84
parent ff4529d127 a25448502d
2 changed files with 35 additions and 1 deletions
--- a/test/integration/viewer_spec.mjs
+++ b/test/integration/viewer_spec.mjs
@ -1260,6 +1260,40 @@ describe("PDF viewer", () => {
    });
  });

+  describe("File param with encoded characters (issue 20420)", () => {
+    let pages;
+
+    beforeEach(async () => {
+      const baseURL = new URL(global.integrationBaseUrl);
+      const url = `${baseURL.origin}/build/generic/web/compressed.tracemonkey-pldi-09.pdf?token=%2Ffoo`;
+      pages = await loadAndWait(
+        encodeURIComponent(url),
+        ".textLayer .endOfContent"
+      );
+    });
+
+    afterEach(async () => {
+      await closePages(pages);
+    });
+
+    it("must not double-decode the file param", async () => {
+      await Promise.all(
+        pages.map(async ([browserName, page]) => {
+          const pdfUrl = await page.evaluate(
+            () => window.PDFViewerApplication.url
+          );
+
+          expect(pdfUrl)
+            .withContext(`In ${browserName}`)
+            .toContain("token=%2Ffoo");
+          expect(pdfUrl)
+            .withContext(`In ${browserName}`)
+            .not.toContain("token=/foo");
+        })
+      );
+    });
+  });
+
  describe("Keyboard scrolling on startup (bug 843653)", () => {
    let pages;

--- a/web/app.js
+++ b/web/app.js
@ -789,7 +789,7 @@ const PDFViewerApplication = {
      const params = parseQueryString(queryString);
      file = params.get("file") ?? AppOptions.get("defaultUrl");
      try {
-        file = new URL(decodeURIComponent(file)).href;
+        file = new URL(file).href;
      } catch {
        file = encodeURIComponent(file).replaceAll("%2F", "/");
      }