From fdd18b085a8f9c1d2e415e4382560e4d4a190470 Mon Sep 17 00:00:00 2001
From: Karen Etheridge <ether@cpan.org>
Date: Thu, 19 Mar 2026 16:15:58 -0700
Subject: [PATCH] =?UTF-8?q?apply=20the=20ABNF=20for=20path=20parameter=20n?=
 =?UTF-8?q?ames,=20OAS=203.2.0=20=C2=A74.8.2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Header parameter names have already been adjusted.

The ABNF for the query component of URIs is at RFC3986 §3.4, but
percent-encoding is used, which allows for the use of any character.
Additionally, cookies using style=form are also percent-encoded and therefore
allow any character.

Moreover, cookie parameter names are percent-encoded when using style=form,
and even for style=cookie they are not used in serialization of objects when
explode=true, so a restriction on cookie parameter names is not added here;
however applications should apply their own restrictions, following the
"cookie-name" and "cookie-value" ABNFs at RFC6265 §4.1.1 (and ensure that all
disallowed characters are percent-encoded when using style=form).
---
 src/schemas/validation/schema.yaml                | 10 ++++++++++
 tests/schema/fail/parameter-object-path-name.yaml | 10 ++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 tests/schema/fail/parameter-object-path-name.yaml

diff --git a/src/schemas/validation/schema.yaml b/src/schemas/validation/schema.yaml
index 199609b5f8..70ce22b1a8 100644
--- a/src/schemas/validation/schema.yaml
+++ b/src/schemas/validation/schema.yaml
@@ -414,6 +414,15 @@ $defs:
         then:
           required:
             - content
+      - if:
+          properties:
+            in:
+              const: path
+        then:
+          properties:
+            name:
+              $comment: 'see OAS 3.2.0 §4.8.2'
+              pattern: '^[^{}]+$'
       - if:
           properties:
             in:
@@ -421,6 +430,7 @@ $defs:
         then:
           properties:
             name:
+              $comment: 'see RFC9110 §5.1'
               $ref: '#/$defs/token'
     dependentSchemas:
       schema:
diff --git a/tests/schema/fail/parameter-object-path-name.yaml b/tests/schema/fail/parameter-object-path-name.yaml
new file mode 100644
index 0000000000..d3da04de9d
--- /dev/null
+++ b/tests/schema/fail/parameter-object-path-name.yaml
@@ -0,0 +1,10 @@
+openapi: 3.2.0
+info:
+  title: path parameter name has a constrained syntax
+  version: 1.0.0
+components:
+  parameters:
+    BadPath:
+      name: 'Bad{Path}'
+      in: path
+      schema: {}