Do not escape $ in URI paths #1183
Conversation
Apart from being a valid path char according to RFC3986[1], $ char is used by the libzypp repository variables[2] and it must not be escaped for avoiding breaking their later expansion. [1] https://datatracker.ietf.org/doc/html/rfc3986#appendix-A (sub-delims) [2] https://doc.opensuse.org/projects/libzypp/HEAD/zypp-repovars.html
| @@ -9,7 +9,7 @@ module Yast | |||
| class URLRecodeClass < Module | |||
| # these will be substituted to a regex character class | |||
| USERNAME_PASSWORD_FRAGMENT_SAFE_CHARS = "-A-Za-z0-9_.!~*'()".freeze | |||
| PATH_SAFE_CHARS = "-A-Za-z0-9_.!~*'()/:".freeze | |||
| PATH_SAFE_CHARS = "-A-Za-z0-9_.!~*'()/:$".freeze | |||
| QUERY_SAFE_CHARS = "-A-Za-z0-9_.!~*'()/:=&".freeze | |||
There was a problem hiding this comment.
Just a dumb question: Would it make sense to add $ to those other _SAFE_CHARS as well? Or is it really exclusively usefull for PATH_SAFE_CHARS?
There was a problem hiding this comment.
According to the RFC, it is valid for query part too, but not for userinfo (part of authority). I'm simply keeping changes at minimum.
There was a problem hiding this comment.
Usually the variables are only used in the path part, in theory it could be included in the query but I have never seen that. For that you would need to implement some server side processing logic instead of just simply serving static files...
|
For the future I'd suggest to drop the "Edit Parts of the URL" feature completely. I guess in most cases the users just copy&paste a whole URL anyway. Building URLs manually from separate parts is a bit overkill IMHO and not used much. If you need to edit the URL you can edit whole URL, just like in a web browser... |
Problem
When editing a repository using the "Edit Parts of the URL" mode, YaST does not handle the dollar sign properly (escaping it to "%24").
Solution
Just include
$intoURLRecode.PATH_SAFE_CHARS.I evaluated (and discarded) the possibility to refactor
URLRecodefor making it RFC3986 compliant, but it does not pay off.Notes
Adding changes from SP1 on
Having a look at skelcds it could be checked that
$releaseverwas used from openSUSE Leap 15.1 on. That's why the change is going to be included in SLE-15-SP1+ branches.Revisiting URI parts
Allowed chars for the URI path according to RFC3986
As the RFC states (see Appendix A for a quick view), an already percentage encoded (
%\h\h) and/a-zA-Z0-9-._~!$&'()*+,;=:@are perfectly valid chars for the URI path. This can be expressed with below regexpHowever, refactoring
URLRecodefor being compliant with RFC3986 not only when escaping thepathbut when doing so foruserinfoandqueryis not as easy as it might appear at first sight. Furthermore, is not even necessary for the limited YaST URI handling so far.Discouraging the use of
URLRecode(2021-07-28)We have added a kind of deprecation note from SLE-15-SP3 on, where a
Y2Packager::ZyppUrlclass was added for dealing with libzypp urls. See #1190 and #1191Tests
$is not being escaped byURLRecode.EscapePathMR: https://build.suse.de/request/show/245221 (after fixing a broken test in #1185)