Permalink
Browse files

Fix semicolons as separators for GET

Fix to use semicolons as separators for GET not for POST
A semicolon ';' should be used as a separator according to a W3.org recommendation
http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2.2

The following commit was for only POST not for GET, but the test is
written for GET, which is kind of a discrepancy.
Do not truncate POST data on `;`, closes #543
71c6911
  • Loading branch information...
Nyoho committed Jan 7, 2015
1 parent dfda3a5 commit 6af5f928f3a860e9bb74fc0bdd83b30be9d722a9
Showing with 21 additions and 10 deletions.
  1. +4 −4 lib/rack/request.rb
  2. +17 −6 test/spec_request.rb
@@ -188,7 +188,7 @@ def GET
if @env["rack.request.query_string"] == query_string
@env["rack.request.query_hash"]
else
p = parse_query(query_string)
p = parse_query(query_string, '&;')
@env["rack.request.query_string"] = query_string
@env["rack.request.query_hash"] = p
end
@@ -212,7 +212,7 @@ def POST
form_vars.slice!(-1) if form_vars[-1] == ?\0

@env["rack.request.form_vars"] = form_vars
@env["rack.request.form_hash"] = parse_query(form_vars)
@env["rack.request.form_hash"] = parse_query(form_vars, '&')

@env["rack.input"].rewind
end
@@ -365,8 +365,8 @@ def reject_trusted_ip_addresses(ip_addresses)
ip_addresses.reject { |ip| trusted_proxy?(ip) }
end

def parse_query(qs)
Utils.parse_nested_query(qs, '&')
def parse_query(qs, d)
Utils.parse_nested_query(qs, d)
end

def parse_multipart(env)
@@ -134,14 +134,25 @@
req.params.should.equal "foo" => "bar", "quux" => "bla"
end

should "not truncate query strings containing semi-colons #543" do
req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la"))
req.query_string.should.equal "foo=bar&quux=b;la"
req.GET.should.equal "foo" => "bar", "quux" => "b;la"
req.POST.should.be.empty
req.params.should.equal "foo" => "bar", "quux" => "b;la"
should "not truncate query strings containing semi-colons #543 only in POST" do
mr = Rack::MockRequest.env_for("/",
"REQUEST_METHOD" => 'POST',
:input => "foo=bar&quux=b;la")
req = Rack::Request.new mr
req.query_string.should.equal ""
req.GET.should.be.empty
req.POST.should.equal "foo" => "bar", "quux" => "b;la"
req.params.should.equal req.GET.merge(req.POST)
end

should "use semi-colons as separators for query strings in GET" do
req = Rack::Request.new(Rack::MockRequest.env_for("/?foo=bar&quux=b;la;wun=duh"))
req.query_string.should.equal "foo=bar&quux=b;la;wun=duh"
req.GET.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh"
req.POST.should.be.empty
req.params.should.equal "foo" => "bar", "quux" => "b", "la" => nil, "wun" => "duh"
end

should "limit the keys from the GET query string" do
env = Rack::MockRequest.env_for("/?foo=bar")

0 comments on commit 6af5f92

Please sign in to comment.