Fix URI parser: IPv6 structural validation and pct-encoded case sensitivity#2354
Merged
Merged
Conversation
🤖 Augment PR SummarySummary: This PR tightens URI parsing around IP-literals and percent-encoding to better match RFC 3986. Changes:
Technical Notes: IPv6 validation now leverages the existing core IP validator, while IPvFuture handling remains parser-local per RFC 3986. 🤖 Was this summary useful? React with 👍 or 👎 |
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
AcEKaycgR
force-pushed
the
fix/uri-ipv6-validation
branch
from
0e33b86 to
8141fbd
Compare
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
AcEKaycgR
force-pushed
the
fix/uri-ipv6-validation
branch
from
8141fbd to
322ce03
Compare
…tivity Signed-off-by: AcE <kintan0108@gmail.com>
AcEKaycgR
force-pushed
the
fix/uri-ipv6-validation
branch
from
322ce03 to
ca16483
Compare
jviotti
reviewed
Apr 24, 2026
| } | ||
|
|
||
| const auto literal{input.substr(start + 1, position - start - 1)}; | ||
| if (!is_ipvfuture && !sourcemeta::core::is_ipv6(literal)) [[unlikely]] { |
Member
There was a problem hiding this comment.
Ahh good catch. We developed the ip module very recently. Makes sense using here now! 💯
jviotti
approved these changes
Apr 24, 2026
Member
jviotti
left a comment
jviotti
left a comment
There was a problem hiding this comment.
Impeccable PR. Great job. Thanks!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #2353
What changed
IPv6 false positives (6 cases)
parse_ipv6()previously accepted any sequence of hex digits, colons, and dots inside brackets without validating RFC 3986 §3.2.2 / RFC 4291 structural rules. After the character-level scan, the extracted address is now passed tois_ipv6()which already enforces all the rules correctly:http://[]- empty bracketshttp://[2001:db8::00000]- h16 group exceeds 4 hex digitshttp://[2001::db8::1]- more than one::http://[1:2:3:4:5:6:7]- 7 groups without::http://[1:2:3:4:5:6:7:8:9]- 9 groupshttp://[::ffff:1.2.3.256]- embedded IPv4 octet out of rangePercent-encoding false negative (1 case)
validate_percent_encoded_utf8()was treating bytes like0xAFas bare UTF-8 continuation bytes and throwing. RFC 3986 §2.1 only requires two validHEXDIGafter%; UTF-8 validity of the encoded octet is not required. The function now returns after confirming two valid hex digits.http://a.com/%aF- mixed-case hex rejected incorrectlyTests
7 regression tests added to
uri_parse_test.cc, one per fixed case.All 628 existing URI unit tests continue to pass.
Its ready for review @jviotti