-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net/url: unescape()
logic doesn't copy invalid bytes following % as expected by most recent spec
#56732
Comments
esacpe()
logic doesn't copy invalid bytes following % as expected by most recent specunescape()
logic doesn't copy invalid bytes following % as expected by most recent spec
Change https://go.dev/cl/450375 mentions this issue: |
Thanks Ian. |
In the next Go release (1.20), parsing URL with invalid percent escape will not throw error anymore [1]. [1] golang/go#56732
Doesn't loosening of URI validation risk propagating invalid %-encodings to other systems that will choke on the invalid URIs (like, for example, something built with go1.19)? This seems opposite to the logic used to justify tightening of ParseIP logic in go1.17 (#30999). I would not have expected the stdlib method to relax validation unconditionally like this |
aside from the question about whether allowing these invalid sequences is going to cause problems with other systems, stdlib methods are widely used to validate things like IPs and URIs which are persisted and have to interoperate with multiple go versions. If this is going to update go1.20 to accept URIs as valid which go1.19 rejected as invalid, can this also include guidance for consumers to roll out this change?
|
if my "git archeology" is correct, that predates #11249 , and makes arguable to change the behavior on the parsers at this point, of course, I'm biased due to the implications of this change in kubernetes/kubernetes :) |
I guess there are two issues conflated in the earlier bug. The first is "Please support decoding Given that 1) there are sites in the wild with |
Do we want to open another issue as this is closed? |
Yeah, I'll open one on Monday |
opened #56884 |
Change https://go.dev/cl/452795 mentions this issue: |
CL is being reverted. |
This reverts CL 450375. Reason for revert: This change causes test failures (and possibly other problems) for users depending on the existing validation behavior. Rolling back the change for now to give us more time to consider its impact. This landed late in the cycle and isn't urgent; it can wait for 1.21 if we do want to make the change. Fixes #56884 For #56732 Change-Id: I082023c67f1bbb933a617453ab92b67abba876ef Reviewed-on: https://go-review.googlesource.com/c/go/+/452795 TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Run-TryBot: Damien Neil <dneil@google.com> Reviewed-by: Heschi Kreinick <heschi@google.com>
Moving this to Go1.23 as it is quite late in the cycle. |
(This is a reopened version of #11249 because the whatwg spec has changed.)
What version of Go are you using (
go version
)?Go 1.19
Does this issue reproduce with the latest release?
Yes.
What operating system and processor architecture are you using (
go env
)?All.
What did you do?
Tried to parse a URL with an "invalid" percent escape. (In this case,
%u0041
).Playground link: https://go.dev/play/p/SqA0_6oLuo3
What did you expect to see?
Printing the URL path as
/%u0041
What did you see instead?
That there was an error parsing the URL.
I'm reopening this bug because the current version of the URL spec for "Percent Encoded Bytes" ( https://url.spec.whatwg.org/#percent-encoded-bytes )
The JavaScript and popular Rust parsers follow this model, which is making interoperability tricky.
JavaScript:
Rust:
https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=f1134169d2851ebe07da4a45e03ff68e
The text was updated successfully, but these errors were encountered: