Skip to content

net/http: ServeMux uses URL.Path instead of URL.EscapedPath(), leading it to treat %2F as a path separator #14815

Closed
@imax9000

Description

@imax9000

Please answer these questions before submitting your issue. Thanks!

  1. What version of Go are you using (go version)?
    go version go1.6 darwin/amd64
  2. What did you do?
    http://play.golang.org/p/60StDlOnw8
    It doesn't work on play.golang.org, but when you run it on local machine it results in:
2016/03/14 14:40:10 http: panic serving 127.0.0.1:58546: /a/b
  1. What did you expect to see?
    I expected HTTP handler to get a request with URL equivalent to URL in original request, i.e. /a%2F%2Fb. Per https://tools.ietf.org/html/rfc3986#section-2.2 /a/b and even /a//b are NOT EQUIVALENT to /a%2F%2Fb

This happens because http.ServeMux uses URL.Path, which already contains wrong data /a//b, does some normalization on that and issues a redirect to /a/b, so user handler is never invoked during the initial request, only after this redirect.

I suggest one of these ways to fix this:

  1. Make net/url percent-decode only unreserved characters, making it compliant with RFC3986
  2. Use EscapedPath() in http.ServeMux, so it will see the data before net/url spoiled it

Both options (and probably any other) break API in one way or another.

Yes, I saw the response on #8248 that this is documented behavior, but it directly contradicts relevant Internet standard, so it's worth to be changed.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions