Fix a number of issues with URL-unsafe queue names, fixes #3327

2022-11-09 13:52:34 -05:00 · 2017-01-24 10:27:50 -08:00 · 2017-01-24 10:27:50 -08:00 · 878ffff0c9
commit 878ffff0c9
parent 62bffb7e24
3 changed files with 5 additions and 5 deletions
--- a/lib/sidekiq/web/application.rb
+++ b/lib/sidekiq/web/application.rb
@ -85,7 +85,7 @@ module Sidekiq
      name = route_params[:name]
      Sidekiq::Job.new(params['key_val'], name).delete
-      redirect_with_query("#{root_path}queues/#{name}")
+      redirect_with_query("#{root_path}queues/#{CGI.escape(name)}")
    end
    get '/morgue' do
--- a/web/views/queue.erb
+++ b/web/views/queue.erb
@ -8,7 +8,7 @@
    </h3>
  </div>
  <div class="col-sm-4 pull-right">
-    <%= erb :_paging, locals: { url: "#{root_path}queues/#{@name}" } %>
+    <%= erb :_paging, locals: { url: "#{root_path}queues/#{CGI.escape(@name)}" } %>
  </div>
 </header>
 <div class="table_container">
@ -32,7 +32,7 @@
          <% end %>
        </td>
        <td>
-          <form action="<%= root_path %>queues/<%= @name %>/delete" method="post">
+          <form action="<%= root_path %>queues/<%= CGI.escape(@name) %>/delete" method="post">
            <%= csrf_tag %>
            <input name="key_val" value="<%= h Sidekiq.dump_json(msg.item) %>" type="hidden" />
            <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSure') %>" />
--- a/web/views/queues.erb
+++ b/web/views/queues.erb
@ -10,14 +10,14 @@
    <% @queues.each do |queue| %>
      <tr>
        <td>
-          <a href="<%= root_path %>queues/<%= queue.name %>"><%= queue.name %></a>
+          <a href="<%= root_path %>queues/<%= CGI.escape(queue.name) %>"><%= h queue.name %></a>
          <% if queue.paused? %>
            <span class="label label-danger"><%= t('Paused') %></span>
          <% end %>
        </td>
        <td><%= number_with_delimiter(queue.size) %> </td>
        <td class="delete-confirm">
-          <form action="<%=root_path %>queues/<%= queue.name %>" method="post">
+          <form action="<%=root_path %>queues/<%= CGI.escape(queue.name) %>" method="post">
            <%= csrf_tag %>
            <input class="btn btn-danger btn-xs" type="submit" name="delete" value="<%= t('Delete') %>" data-confirm="<%= t('AreYouSureDeleteQueue', :queue => h(queue.name)) %>" />
          </form>