not handling escaped forward slashes properly

[tmornini]

Hey there. Just found this issue:

package main

import (
	"net/http"

	"github.com/julienschmidt/httprouter"
)

func main() {
	router := httprouter.New()

	router.GET(
		"/networks/:network-id/accounts/:network-account-id/purchases/:purchase-id",
		getPurchaseHTTPRouter,
	)

	panic(http.ListenAndServe(":8080", router))
}

func getPurchaseHTTPRouter(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
	w.WriteHeader(200)
	w.Write([]byte("routed\n"))
}

Without an encoded forward slash, this works correctly:

$ curl localhost:8080/networks/1/accounts/2/purchases/3
routed

But with an encoded forward slash, it does not.

$ curl localhost:8080/networks/1/accounts/2/purchases/3%2F4
404 page not found

I'm quite confident that the second example should have routed and the purchase-id parameters should be set to "3/4"

[RazerM]

ORY Hydra had an API where you accept a parameter like /login?login_challenge={challenge}, and then you call Hydra's API with /oauth2/auth/requests/login/{challenge}. They recently changed to use query parameters so the API caller doesn't have to escape the challenge (ory/hydra#1307).

The linked issue says "if [the] challenge is not properly escaped", but that's not true because it uses httprouter! Calling /oauth2/auth/requests/login/..%2F..%2F..%2F..%2Fclients (which is properly escaped) would change the Hydra request path.

I don't use httprouter directly, but when Hydra announced the change and I checked that even with escaping it doesn't work I was quite surprised.

RFC 3986: "When to Encode or Decode":

When a URI is dereferenced, the components and subcomponents
significant to the scheme-specific dereferencing process (if any)
must be parsed and separated before the percent-encoded octets within
those components can be safely decoded, as otherwise the data may be
mistaken for component delimiters.