Plus (+) symbols are no longer being decoded into spaces when part of a URL capture #463

Closed
boucher opened this Issue Feb 8, 2012 · 9 comments

Projects

None yet

6 participants

@boucher

A route defined like so:

get '/foo/:bar' do
    body "Hey #{params[:bar]}\n"
end

Used to behave like this in 1.2.6:

boucher ~ $ curl http://localhost:4567/foo/b+ar
Hey b ar

But in 1.3.2 it behaves like this:

boucher ~ $ curl http://localhost:4567/foo/b+ar
Hey b+ar

This does not, however, affect params sent in the post body. Plus symbols are still converted into spaces there.

@boucher

The issue here is the URI.decode in process_route. I think the fix is to use URI.decode_www_form_component, though I'm not sure if something special needs to be done to use it pre Ruby-1.9.2 (it's backported into Rack, so presumably it should be OK to use?).

@rkh rkh pushed a commit that closed this issue Feb 10, 2012
@boucher boucher Plus symbols in the URL should be converted to spaces when considered…
… as param values.

Closes #463.
311aa42
@rkh rkh closed this in 311aa42 Feb 10, 2012
@jdolan

I'm still seeing this issue in 1.3.3. Any ideas?

@rkh rkh reopened this Oct 10, 2012
@jdolan

I ended up using boucher's recommendation above (URI.decode_www_form_component) for the parameters I'm taking which might have spaces in them, but this still seems like a bug. It automatically decodes %20 just fine, but other URL encoding libs (e.g. Apache Commons) will send in + instead.

@ajorgensen

I am also running into this issue. Is there a reason that boucher's fix made it into master but not the latest 1.3.3 release?

@rkh rkh added a commit that referenced this issue Jan 26, 2013
@boucher boucher Plus symbols in the URL should be converted to spaces when considered…
… as param values. Closes #463.

Signed-off-by: Konstantin Haase <konstantin.mailinglists@googlemail.com>
babe1e8
@rkh rkh closed this Jan 26, 2013
@rkh rkh added a commit that referenced this issue Feb 26, 2013
@rkh rkh Revert "Plus symbols in the URL should be converted to spaces when co…
…nsidered as param values. Closes #463."

This reverts commit babe1e8.

Conflicts:
	lib/sinatra/base.rb

Fixes #638
b4d7d4b
@Rican7 Rican7 referenced this issue in klein/klein.php Jul 17, 2013
Closed

Named params should be urldecode'd #117

@rodowi

Still happens with query parameters in 1.4.5

GEM
  remote: https://rubygems.org/
  specs:
    addressable (2.3.5)
    crack (0.3.2)
    rack (1.5.2)
    rack-protection (1.5.3)
      rack
    rack-test (0.6.2)
      rack (>= 1.0)
    rake (10.2.2)
    sinatra (1.4.5)
      rack (~> 1.4)
      rack-protection (~> 1.4)
      tilt (~> 1.3, >= 1.3.4)
    tilt (1.4.1)
    webmock (1.8.11)
      addressable (>= 2.2.7)
      crack (>= 0.1.7)

PLATFORMS
  ruby

If I request /forecast?url=http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?

get '/forecast' do
  puts params[:url]

I get:

➜  weatherman git:(fix-url-breakage) ✗ ruby test/test_api.rb -n /Latest/
Run options: -n /Latest/ --seed 13412

# Running tests:
http://www.nhc.noaa.gov/text/refresh/MIATCMEP1 shtml/232030.shtml
@rkh rkh reopened this May 25, 2014
@rodowi
  it "does not convert plus sign into space as the value of a named param" do
    mock_app do
      get '/forecast' do
        params["url"]
      end
    end
    get '/forecast?url=http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?'
    assert ok?
    assert_equal 'http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?', body
  end

PoC:

~/c/ruby/sinatra (fix-param-spacing*) $ ruby test/routing_test.rb
Run options: 

# Running tests:

[ 23/100] RoutingTest#test_does_not_convert_plus_sign_into_space_as_the_valu        
  1) Failure:
RoutingTest#test_does_not_convert_plus_sign_into_space_as_the_value_of_a_named_param_0 [test/routing_test.rb:373]:
<"http://www.nhc.noaa.gov/text/refresh/MIATCMEP1+shtml/240833.shtml?"> expected but was
<"http://www.nhc.noaa.gov/text/refresh/MIATCMEP1 shtml/240833.shtml?">.

Finished tests in 0.522258s, 191.4762 tests/s, 645.2749 assertions/s.               
100 tests, 337 assertions, 1 failures, 0 errors, 0 skips

ruby -v: ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-darwin11.0]
@rodowi

Nevermind, I realized this should be closed.

Following http://tools.ietf.org/html/rfc3986#appendix-A means '+' is reserved, therefore any client making requests with '+' should encoded to '%2B'.

@zzak
Sinatra member

👍 on leaving "+" => " "

@rkh_facts

@zzak zzak closed this Feb 13, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment