net/url: shouldEscape encodePath issue - RFC3986 #7914
Description
by aaron.blohowiak:
What does 'go version' print? go version go1.2.1 darwin/amd64 I checked the source in tip and the problem is also there. What steps reproduce the problem? If possible, include a link to a program on play.golang.org. http://play.golang.org/p/4ZbUkex2Wm What happened? RequestURI() returns a path with many valid characters escaped. What should have happened instead? All sub-delim characters MUST NOT be escaped. Please provide any additional information below. Using the ReverseProxy breaks OAuth signing verification because of url.URL RequestURI()'s incorrect replacement of reserved characters with their encoded counterparts in shouldEncode(). There is a workaround of creating a custom Director that looks at the RequestURI and performs the correct parsing and escaping, populating the req.URL.Opaque and draining the req.URL.Path, but it would be better for the std library to do the right thing. Code that relies on the current escaping behavior is wrong, so I do not believe that fixing this would violate the stability guarantee. This violates the http spec: rfc3986 §2.2 Reserved Characters The purpose of reserved characters is to provide a set of delimiting characters that are distinguishable from other data within a URI. URIs that differ in the replacement of a reserved character with its corresponding percent-encoded octet are not equivalent. Percent-encoding a reserved character, or decoding a percent-encoded octet that corresponds to a reserved character, will change how the URI is interpreted by most applications. Thus, characters in the reserved set are protected from normalization and are therefore safe to be used by scheme-specific and producer-specific algorithms for delimiting data subcomponents within a URI.