QueryString key is not unescaped when value omitted

[bart-degreed]

An incoming request with a query string that contains an escaped key without a value is not properly unescaped.

Example:

GET http://localhost/api/demo?fields%5BtodoItems%5D HTTP/1.1

string keys = string.Join(' ', new HttpContextAccessor().HttpContext.Request.Query.Keys);
// keys: %5BtodoItems%5D

In contrast, when the query string does contain a value, it gets unescaped properly.

GET http://localhost/api/demo?fields%5BtodoItems%5D=1 HTTP/1.1

string keys = string.Join(' ', new HttpContextAccessor().HttpContext.Request.Query.Keys);
// keys: [todoItems]

This bug applies to ASP.NET Core version: 3.1, 5.0 and the master branch.

The problem is caused by the next line:

aspnetcore/src/Http/WebUtilities/src/QueryHelpers.cs

Line 221 in 52eff90

accumulator.Append(queryString.Substring(scanIndex, delimiterIndex - scanIndex), string.Empty);

which does not unescape. To fix, replace this line with:

string name = queryString.Substring(scanIndex, delimiterIndex - scanIndex);
accumulator.Append(Uri.UnescapeDataString(name.Replace('+', ' ')), string.Empty);

When this gets fixed, it would be great to also backport it to .NET Core 3.1 and 5.0.

[bart-degreed]

I should note this problem does not repro when using WebApplicationFactory from an integration test, presumable because things are short-circuited in that case.