Fix semicolons as separators for GET

Fix to use semicolons as separators for GET not for POST A semicolon ';' should be used as a separator according to a W3.org recommendation http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2 The following commit was for only POST not for GET, but the test is written for GET, which is kind of a discrepancy. Do not truncate POST data on `;`, closes rack#543 rack@71c6911
Nyoho · Jan 7, 2015 · 6af5f92 · 6af5f92
1 parent dfda3a5
commit 6af5f92
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 10 deletions.
diff --git a/lib/rack/request.rb b/lib/rack/request.rb
@@ -188,7 +188,7 @@ def GET
       if @env["rack.request.query_string"] == query_string
         @env["rack.request.query_hash"]
       else
-        p = parse_query(query_string)
+        p = parse_query(query_string, '&;')
         @env["rack.request.query_string"] = query_string
         @env["rack.request.query_hash"]   = p
       end
@@ -212,7 +212,7 @@ def POST
           form_vars.slice!(-1) if form_vars[-1] == ?\0
 
           @env["rack.request.form_vars"] = form_vars
-          @env["rack.request.form_hash"] = parse_query(form_vars)
+          @env["rack.request.form_hash"] = parse_query(form_vars, '&')
 
           @env["rack.input"].rewind
         end
@@ -365,8 +365,8 @@ def reject_trusted_ip_addresses(ip_addresses)
         ip_addresses.reject { |ip| trusted_proxy?(ip) }
       end
 
-      def parse_query(qs)
-        Utils.parse_nested_query(qs, '&')
+      def parse_query(qs, d)
+        Utils.parse_nested_query(qs, d)
       end
 
       def parse_multipart(env)

diff --git a/test/spec_request.rb b/test/spec_request.rb
@@ -134,14 +134,25 @@
     req.params.should.equal "foo" => "bar", "quux" => "bla"
   end
 
-  should "not truncate query strings containing semi-colons #543" do
-    req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la"))
-    req.query_string.should.equal "foo=bar&quux=b;la"
-    req.GET.should.equal "foo" => "bar", "quux" => "b;la"
-    req.POST.should.be.empty
-    req.params.should.equal "foo" => "bar", "quux" => "b;la"
+  should "not truncate query strings containing semi-colons #543 only in POST" do
+    mr = Rack::MockRequest.env_for("/",
+      "REQUEST_METHOD" => 'POST',
+      :input => "foo=bar&quux=b;la")
+    req = Rack::Request.new mr
+    req.query_string.should.equal ""
+    req.GET.should.be.empty
+    req.POST.should.equal "foo" => "bar", "quux" => "b;la"
+    req.params.should.equal req.GET.merge(req.POST)
   end
 
+  should "use semi-colons as separators for query strings in GET" do
+    req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la;wun=duh"))
+    req.query_string.should.equal "foo=bar&quux=b;la;wun=duh"
+    req.GET.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh"
+    req.POST.should.be.empty
+    req.params.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh"
+  end
+
   should "limit the keys from the GET query string" do
     env = Rack::MockRequest.env_for("/?foo=bar")