Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Plus (+) symbols are no longer being decoded into spaces when part of a URL capture #463

Closed
boucher opened this Issue · 9 comments

6 participants

@boucher

A route defined like so:

get '/foo/:bar' do
    body "Hey #{params[:bar]}\n"
end

Used to behave like this in 1.2.6:

boucher ~ $ curl http://localhost:4567/foo/b+ar
Hey b ar

But in 1.3.2 it behaves like this:

boucher ~ $ curl http://localhost:4567/foo/b+ar
Hey b+ar

This does not, however, affect params sent in the post body. Plus symbols are still converted into spaces there.

@boucher

The issue here is the URI.decode in process_route. I think the fix is to use URI.decode_www_form_component, though I'm not sure if something special needs to be done to use it pre Ruby-1.9.2 (it's backported into Rack, so presumably it should be OK to use?).

@rkh rkh closed this in 311aa42
@jdolan

I'm still seeing this issue in 1.3.3. Any ideas?

@rkh rkh reopened this
@jdolan

I ended up using boucher's recommendation above (URI.decode_www_form_component) for the parameters I'm taking which might have spaces in them, but this still seems like a bug. It automatically decodes %20 just fine, but other URL encoding libs (e.g. Apache Commons) will send in + instead.

@ajorgensen

I am also running into this issue. Is there a reason that boucher's fix made it into master but not the latest 1.3.3 release?

@rkh rkh referenced this issue from a commit
@boucher boucher Plus symbols in the URL should be converted to spaces when considered…
… as param values. Closes #463.

Signed-off-by: Konstantin Haase <konstantin.mailinglists@googlemail.com>
babe1e8
@rkh rkh closed this
@rkh rkh referenced this issue from a commit
@rkh rkh Revert "Plus symbols in the URL should be converted to spaces when co…
…nsidered as param values. Closes #463."

This reverts commit babe1e8.

Conflicts:
	lib/sinatra/base.rb

Fixes #638
b4d7d4b
@Rican7 Rican7 referenced this issue in chriso/klein.php
Closed

Named params should be urldecode'd #117

@rodowi

Still happens with query parameters in 1.4.5

GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.3.5)
    crack (0.3.2)
    rack (1.5.2)
    rack-protection (1.5.3)
      rack
    rack-test (0.6.2)
      rack (>= 1.0)
    rake (10.2.2)
    sinatra (1.4.5)
      rack (~> 1.4)
      rack-protection (~> 1.4)
      tilt (~> 1.3, >= 1.3.4)
    tilt (1.4.1)
    webmock (1.8.11)
      addressable (>= 2.2.7)
      crack (>= 0.1.7)

PLATFORMS
  ruby

If I request /forecast?url=http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?

get '/forecast' do
  puts params[:url]

I get:

➜  weatherman git:(fix-url-breakage) ✗ ruby test/test_api.rb -n /Latest/
Run options: -n /Latest/ --seed 13412

# Running tests:
http://www.nhc.noaa.gov/text/refresh/MIATCMEP1 shtml/232030.shtml
@rkh rkh reopened this
@rodowi
  it "does not convert plus sign into space as the value of a named param" do
    mock_app do
      get '/forecast' do
        params["url"]
      end
    end
    get '/forecast?url=http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?'
    assert ok?
    assert_equal 'http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?', body
  end

PoC:

~/c/ruby/sinatra (fix-param-spacing*) $ ruby test/routing_test.rb
Run options: 

# Running tests:

[ 23/100] RoutingTest#test_does_not_convert_plus_sign_into_space_as_the_valu        
  1) Failure:
RoutingTest#test_does_not_convert_plus_sign_into_space_as_the_value_of_a_named_param_0 [test/routing_test.rb:373]:
<"http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?"> expected but was
<"http://www.nhc.noaa.gov/text/refresh/MIATCMEP1 shtml/240833.shtml?">.

Finished tests in 0.522258s, 191.4762 tests/s, 645.2749 assertions/s.               
100 tests, 337 assertions, 1 failures, 0 errors, 0 skips

ruby -v: ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-darwin11.0]
@rodowi

Nevermind, I realized this should be closed.

Following http://tools.ietf.org/html/rfc3986#appendix-A means '+' is reserved, therefore any client making requests with '+' should encoded to '%2B'.

@zzak
Collaborator

:+1: on leaving "+" => " "

@rkh_facts

@zzak zzak closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.