New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

addQueryParameter() not escapes `;` (semicolon) #3274

Closed
iglaweb opened this Issue Apr 7, 2017 · 8 comments

Comments

4 participants
@iglaweb

iglaweb commented Apr 7, 2017

I use HttpUrl.Builder#addQueryParameter, but String ';&' is translated into ";%26". Why semicolon is not escaped?

If user passes the value containing ';' as a get parameter, it can be treated as the delimiter by server and hence the part of the query string can be broken. How can I force to escape the whole user string? Using retrofit 2.1 + okhttp 3.6

@JakeWharton

This comment has been minimized.

Show comment
Hide comment
@JakeWharton

JakeWharton Apr 7, 2017

Collaborator

The escaping behavior is because an ampersand is a separator between key/value pairs whereas a semicolon is not. If your server treats it as a separator you'll need to escape it yourself.

Collaborator

JakeWharton commented Apr 7, 2017

The escaping behavior is because an ampersand is a separator between key/value pairs whereas a semicolon is not. If your server treats it as a separator you'll need to escape it yourself.

@swankjesse

This comment has been minimized.

Show comment
Hide comment
@swankjesse

swankjesse Apr 15, 2017

Member

No action for us to take on this.

Member

swankjesse commented Apr 15, 2017

No action for us to take on this.

@swankjesse swankjesse closed this Apr 15, 2017

@fuyun

This comment has been minimized.

Show comment
Hide comment
@fuyun

fuyun Jul 19, 2017

I am using retrofit, for an API like

postAPI(@query("param") String val)

If val (user passed) contains semicolon, the generated URL does not escape the semicolon. I feel it is not the right behavior. For example, if I use Django as server, Django truncates parameter val at the semicolon. I cannot handle it at all. I have to treat semicolon specially on client side.

fuyun commented Jul 19, 2017

I am using retrofit, for an API like

postAPI(@query("param") String val)

If val (user passed) contains semicolon, the generated URL does not escape the semicolon. I feel it is not the right behavior. For example, if I use Django as server, Django truncates parameter val at the semicolon. I cannot handle it at all. I have to treat semicolon specially on client side.

@JakeWharton

This comment has been minimized.

Show comment
Hide comment
@JakeWharton

JakeWharton Jul 19, 2017

Collaborator
Collaborator

JakeWharton commented Jul 19, 2017

@fuyun

This comment has been minimized.

Show comment
Hide comment
@fuyun

fuyun Jul 19, 2017

This is determined by python urlparse I guess

https://docs.python.org/2/library/urlparse.html#urlparse.parse_qs

urlparse.parse_qs("name1=val1;val2&name2=val3")
{'name2': ['val3'], 'name1': ['val1']}

fuyun commented Jul 19, 2017

This is determined by python urlparse I guess

https://docs.python.org/2/library/urlparse.html#urlparse.parse_qs

urlparse.parse_qs("name1=val1;val2&name2=val3")
{'name2': ['val3'], 'name1': ['val1']}

@JakeWharton

This comment has been minimized.

Show comment
Hide comment
@JakeWharton

JakeWharton Jul 19, 2017

Collaborator
Collaborator

JakeWharton commented Jul 19, 2017

@fuyun

This comment has been minimized.

Show comment
Hide comment
@fuyun

fuyun Jul 19, 2017

For Django users, if you want to patch this issue on server side, you can fix it this way

orig_query = request.META['QUERY_STRING']
if orig_query is not None:
       request.GET = QueryDict(orig_query.replace(";", "%3B"))

fuyun commented Jul 19, 2017

For Django users, if you want to patch this issue on server side, you can fix it this way

orig_query = request.META['QUERY_STRING']
if orig_query is not None:
       request.GET = QueryDict(orig_query.replace(";", "%3B"))
@swankjesse

This comment has been minimized.

Show comment
Hide comment
@swankjesse

swankjesse Jul 19, 2017

Member

What’s completely absurd about that Python API is that it expects both ; and %3B to be used and puts the burden on the caller to decide which to use. How you escape the URL has behavior consequences!

OkHttp has no idea how you intent to interpret ; and can’t escape on your behalf.

Member

swankjesse commented Jul 19, 2017

What’s completely absurd about that Python API is that it expects both ; and %3B to be used and puts the burden on the caller to decide which to use. How you escape the URL has behavior consequences!

OkHttp has no idea how you intent to interpret ; and can’t escape on your behalf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment