Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hex digits in URL encoding should be upper-case #2281

Closed
nnposter opened this issue Apr 1, 2021 · 1 comment
Closed

Hex digits in URL encoding should be upper-case #2281

nnposter opened this issue Apr 1, 2021 · 1 comment
Assignees

Comments

@nnposter
Copy link

@nnposter nnposter commented Apr 1, 2021

NSE function url.escape is currently using lower-case hexadecimal digits to perform URL encoding (a.k.a. percent encoding). While this is allowed by RFC 3986, section 2.1, it is also recommended that upper-case digits are used:

For consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent-encodings.

Implementing this change would bring the NSE implementation in line with browser behavior but, more importantly, there are real-world web servers, such as Tridium Niagara, that do not properly parse lower-case hexadecimal digits.

The code change is trivial, but the function is very widely used throughout the NSE code base so it deserves an opportunity for discussion. If no objections are raised then the following patch will be committed in early May:

--- a/nselib/url.lua
+++ b/nselib/url.lua
@@ -58,7 +58,7 @@
 end
 
 local function hex_esc (c)
-  return string.format("%%%02x", string.byte(c))
+  return string.format("%%%02X", string.byte(c))
 end
 
 -- these are allowed within a path segment, along with alphanum
@nnposter
Copy link
Author

@nnposter nnposter commented May 17, 2021

Committed in r38218.

@nmap-bot nmap-bot closed this in 67a04de May 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant