net/url: unescape doesn't handle certain forms of double encoding #49120
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?go env
OutputWhat did you do?
We ran into an issue where Go's net/url unescape function threw an error on a variant of double encoding that doesn't happen in other programming languages. A specific example is using
%%32%65
as an alternative to%252e
. Here's a demonstration of the error in Go playground:https://play.golang.org/p/bfPg9f_oGxF
The docs are fairly clear about this and say:
The issue however is that other languages use an algorithm similar to the one specified in WHATWG's URL spec.
An example from Python's urllib:
Another example using Rust servo percent-encoding crate:
https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=a4fe1ba83872cb894ad56a85845abeba
What did you expect to see?
I would expect it to be handled similar to the WHATWG URL spec for percent decoding. In this very specific example it would decode to
%2e
.What did you see instead?
A decoding error show here:
https://play.golang.org/p/bfPg9f_oGxF
The text was updated successfully, but these errors were encountered: