http: use Query.Get instead of FormValue, allows POST through

lib/challenge/helper.go

@@ -39,11 +39,13 @@ const VerifyChallengeUrlSuffix = "/verify-challenge"
 
 func GetVerifyInformation(r *http.Request, reg *Registration) (requestId RequestId, redirect, token string, err error) {
 
-	if r.FormValue(QueryArgChallenge) != reg.Name {
-		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", r.FormValue(QueryArgChallenge))
+	q := r.URL.Query()
+
+	if q.Get(QueryArgChallenge) != reg.Name {
+		return RequestId{}, "", "", fmt.Errorf("unexpected challenge: got %s", q.Get(QueryArgChallenge))
 	}
 
-	requestIdHex := r.FormValue(QueryArgRequestId)
+	requestIdHex := q.Get(QueryArgRequestId)
 
 	if len(requestId) != hex.DecodedLen(len(requestIdHex)) {
 		return RequestId{}, "", "", errors.New("invalid request id")
@@ -55,8 +57,8 @@ func GetVerifyInformation(r *http.Request, reg *Registration) (requestId Request
 		return RequestId{}, "", "", errors.New("invalid request id")
 	}
 
-	token = r.FormValue(QueryArgToken)
-	redirect, err = utils.EnsureNoOpenRedirect(r.FormValue(QueryArgRedirect))
+	token = q.Get(QueryArgToken)
+	redirect, err = utils.EnsureNoOpenRedirect(q.Get(QueryArgRedirect))
 	if err != nil {
 		return RequestId{}, "", "", err
 	}

lib/http.go

@@ -96,11 +96,12 @@ func (state *State) handleRequest(w http.ResponseWriter, r *http.Request) {
 		if fromChallenge {
 			r.Header.Del("Referer")
 		}
-		if ref := r.FormValue(challenge.QueryArgReferer); ref != "" {
+		q := r.URL.Query()
+
+		if ref := q.Get(challenge.QueryArgReferer); ref != "" {
 			r.Header.Set("Referer", ref)
 		}
 
-		q := r.URL.Query()
 		// delete query parameters that were set by go-away
 		for k := range q {
 			if strings.HasPrefix(k, challenge.QueryArgPrefix) {