Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hex digits in URL encoding should be upper-case #2281

nnposter opened this issue Apr 1, 2021 · 1 comment

Hex digits in URL encoding should be upper-case #2281

nnposter opened this issue Apr 1, 2021 · 1 comment


Copy link

nnposter commented Apr 1, 2021

NSE function url.escape is currently using lower-case hexadecimal digits to perform URL encoding (a.k.a. percent encoding). While this is allowed by RFC 3986, section 2.1, it is also recommended that upper-case digits are used:

For consistency, URI producers and normalizers should use uppercase hexadecimal digits for all percent-encodings.

Implementing this change would bring the NSE implementation in line with browser behavior but, more importantly, there are real-world web servers, such as Tridium Niagara, that do not properly parse lower-case hexadecimal digits.

The code change is trivial, but the function is very widely used throughout the NSE code base so it deserves an opportunity for discussion. If no objections are raised then the following patch will be committed in early May:

--- a/nselib/url.lua
+++ b/nselib/url.lua
@@ -58,7 +58,7 @@
 local function hex_esc (c)
-  return string.format("%%%02x", string.byte(c))
+  return string.format("%%%02X", string.byte(c))
 -- these are allowed within a path segment, along with alphanum
Copy link

Committed in r38218.

mzet- pushed a commit to mzet-/Nmap-for-Pen-Testers that referenced this issue Dec 20, 2021
@nmap nmap deleted a comment Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet

No branches or pull requests

1 participant