-
-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Treat invalid percent encoding consistently #5461
Comments
I can not find the rational in the code history. (0) The original implementation (0) (1) (2) (3) (4) |
@mgiuca himself recently changed his mind. (the point of that particular comment is to make '%s -> %s' a special case, |
Hello, I haven't dug deeply into the issue (but please note that my previous interaction with this project was in 2012, so it's entirely possible I made a mistake or changed my mind since then!) Also note that the entire URL standard has been rewritten since then, the URL standard that I'm commenting on in the above quote didn't exist in 2012. Based on your above description, I agree that it doesn't make sense to treat |
Except that once passed to an HTTP client, nothing will be substituting anything into them later. And if this is being returned as part of a redirect in the Location header then that means that the user will want to handle redirects themselves, otherwise the re-quoting is most likely valid. |
Is it possible at all, in case of registerProtocolHandler's '%s' url? |
What are you talking about |
It is the only case url parser has to specially handle That's why in the above comment link, mgiuca was considering:
In any other cases, my proposal in the first comment should be OK. |
And it is the concern for general url parsers. |
Quick note that the strings accepted by A generic URL parser does not need to be able to handle |
@mgiuca thank you! |
The present form of
requote_uri
unnecessarily divides invalid cases.When alpha-numeric, '%' is quoted to '%25'.
E.g.
%pp
to%25pp
.When not alpha-numeric, '%' is kept as is.
E.g.
%--
to%--
.(Note these two examples are in the tests,
and the latter is for
unquote_unreserved
,but the result is the same.)
Or
%<<
to%%3C%3C
.but I think '%' should be quoted in all invalid cases.
(Or to put it differently, isolated '%' must be quoted.)
The text was updated successfully, but these errors were encountered: