From 256da58194d7e8ce1e61ab4def6cdfdbb13a1673 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 2 May 2017 09:58:53 +0200
Subject: [PATCH] assume all parameters are utf8 encoded

Previously, we called decode_utf8_parameters(), which only encoded
some parameters. This was just an optimization, and it turend out to
be error prone (for example passwords also contain utf8 parameters).
---
 PVE/APIServer/AnyEvent.pm | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index 99a9765..b2d58c5 100755
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -29,6 +29,7 @@ use AnyEvent::IO;
 use AnyEvent::HTTP;
 use Fcntl ();
 use Compress::Zlib;
+use Encode;
 use PVE::SafeSyslog;
 use PVE::INotify;
 use PVE::Tools;
@@ -617,6 +618,7 @@ sub proxy_request {
 }
 
 # return arrays as \0 separated strings (like CGI.pm)
+# assume data is UTF8 encoded
 sub decode_urlencoded {
     my ($data) = @_;
 
@@ -631,6 +633,8 @@ sub decode_urlencoded {
 	$v =~s/\+/ /g;
 	$v =~ s/%([0-9a-fA-F][0-9a-fA-F])/chr(hex($1))/eg;
 
+	$v = Encode::decode('utf8', $v);
+
 	if (defined(my $old = $res->{$k})) {
 	    $res->{$k} = "$old\0$v";
 	} else {
@@ -655,7 +659,7 @@ sub extract_params {
 	$params->{$k} = $query_params->{$k};
     }
 
-    return PVE::Tools::decode_utf8_parameters($params);
+    return $params;
 }
 
 sub handle_api2_request {
-- 
2.39.2