Can't add secondary email address to acount containing a "+" character

[laalsaas]

Gitea Version

1.15

Git Version

No response

Operating System

No response

How are you running Gitea?

I'm using the hosted Gitea service Codeberg

Database

No response

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Description

I tried to add a new Email address to my account (under settings -> account). The Email address contains the "+" (plus) character. I recieved a verification email with a link looking like this:

https://codeberg.org/user/activate_email?code=>long-hex-number>&[email protected]

When i click on this Link, i just get forwarded to the account-page in the settings (no error message visible), where the second email address still has the "Requires activation"-status.

I think most of you already know where this is leading towards: (I have only surface-level-knowledge of http, so sorry if I use a wrong term) The email address gets submited as a string parameter to a GET-Request, which is probably just created by concatinating the code and the email string to the rest of the link. The "+"-characters are reserved characters in GET-Requests, to represent a space, they probably don't get escaped properly so it's not working. I haven't tried, but I assume this is also the case for all email addresses containing a Character which is allowed in the local-part(the part before the "@"-sign), but a reserved character in a URL (i.e."&")

When I manually substitute the "+" in the verification link for its URL escape character %2B i can add the email address to my account.

Screenshots

No response

[zeripath]

The problem is:

gitea/templates/mail/auth/activate_email.tmpl

Line 8 in 0728479

{{ $activate_url := printf "%suser/activate_email?code=%s&email=%s" AppUrl .Code .Email}}

The email needs to be Queryescaped.

Unfortunately the query escape isn't in the template helper so it would also need to be added to that.