From cef915b35303ac0e1516da3e203784f08c0f9b63 Mon Sep 17 00:00:00 2001
From: WeebDataHoarder <weebdatahoarder@noreply.gammaspectra.live>
Date: Wed, 23 Apr 2025 21:30:39 +0200
Subject: [PATCH] http: use Query.Get instead of FormValue, allows POST through

---
 lib/challenge/helper.go | 12 +++++++-----
 lib/http.go             |  5 +++--
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/lib/challenge/helper.go b/lib/challenge/helper.go
index 44f7906..5239a9a 100644
--- a/lib/challenge/helper.go
+++ b/lib/challenge/helper.go
@@ -39,11 +39,13 @@ const VerifyChallengeUrlSuffix = "/verify-challenge"
 
 func GetVerifyInformation(r *http.Request, reg *Registration) (requestId RequestId, redirect, token string, err error) {
 
-	if r.FormValue(QueryArgChallenge) != reg.Name {
-		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", r.FormValue(QueryArgChallenge))
+	q := r.URL.Query()
+
+	if q.Get(QueryArgChallenge) != reg.Name {
+		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", q.Get(QueryArgChallenge))
 	}
 
-	requestIdHex := r.FormValue(QueryArgRequestId)
+	requestIdHex := q.Get(QueryArgRequestId)
 
 	if len(requestId) != hex.DecodedLen(len(requestIdHex)) {
 		return RequestId{}, "", "", errors.New("invalid request id")
@@ -55,8 +57,8 @@ func GetVerifyInformation(r *http.Request, reg *Registration) (requestId Request
 		return RequestId{}, "", "", errors.New("invalid request id")
 	}
 
-	token = r.FormValue(QueryArgToken)
-	redirect, err = utils.EnsureNoOpenRedirect(r.FormValue(QueryArgRedirect))
+	token = q.Get(QueryArgToken)
+	redirect, err = utils.EnsureNoOpenRedirect(q.Get(QueryArgRedirect))
 	if err != nil {
 		return RequestId{}, "", "", err
 	}
diff --git a/lib/http.go b/lib/http.go
index dcee241..c696b26 100644
--- a/lib/http.go
+++ b/lib/http.go
@@ -96,11 +96,12 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 		if fromChallenge {
 			r.Header.Del("Referer")
 		}
-		if ref := r.FormValue(challenge.QueryArgReferer); ref != "" {
+		q := r.URL.Query()
+
+		if ref := q.Get(challenge.QueryArgReferer); ref != "" {
 			r.Header.Set("Referer", ref)
 		}
 
-		q := r.URL.Query()
 		// delete query parameters that were set by go-away
 		for k := range q {
 			if strings.HasPrefix(k, challenge.QueryArgPrefix) {