-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not escape $ in URI paths #1183
Conversation
Apart from being a valid path char according to RFC3986[1], $ char is used by the libzypp repository variables[2] and it must not be escaped for avoiding breaking their later expansion. [1] https://datatracker.ietf.org/doc/html/rfc3986#appendix-A (sub-delims) [2] https://doc.opensuse.org/projects/libzypp/HEAD/zypp-repovars.html
@@ -9,7 +9,7 @@ module Yast | |||
class URLRecodeClass < Module | |||
# these will be substituted to a regex character class | |||
USERNAME_PASSWORD_FRAGMENT_SAFE_CHARS = "-A-Za-z0-9_.!~*'()".freeze | |||
PATH_SAFE_CHARS = "-A-Za-z0-9_.!~*'()/:".freeze | |||
PATH_SAFE_CHARS = "-A-Za-z0-9_.!~*'()/:$".freeze | |||
QUERY_SAFE_CHARS = "-A-Za-z0-9_.!~*'()/:=&".freeze |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a dumb question: Would it make sense to add $
to those other _SAFE_CHARS
as well? Or is it really exclusively usefull for PATH_SAFE_CHARS
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the RFC, it is valid for query
part too, but not for userinfo
(part of authority
). I'm simply keeping changes at minimum.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Usually the variables are only used in the path part, in theory it could be included in the query but I have never seen that. For that you would need to implement some server side processing logic instead of just simply serving static files...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM; but it might be safer to let this also be reviewed by some real experts on those URL specifics (if we have somebody like that).
For the future I'd suggest to drop the "Edit Parts of the URL" feature completely. I guess in most cases the users just copy&paste a whole URL anyway. Building URLs manually from separate parts is a bit overkill IMHO and not used much. If you need to edit the URL you can edit whole URL, just like in a web browser... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, let's keep the changes at minimum.
Problem
When editing a repository using the "Edit Parts of the URL" mode, YaST does not handle the dollar sign properly (escaping it to "%24").
Solution
Just include
$
intoURLRecode.PATH_SAFE_CHARS
.I evaluated (and discarded) the possibility to refactor
URLRecode
for making it RFC3986 compliant, but it does not pay off.Notes
Adding changes from SP1 on
Having a look at skelcds it could be checked that
$releasever
was used from openSUSE Leap 15.1 on. That's why the change is going to be included in SLE-15-SP1+ branches.Revisiting URI parts
Allowed chars for the URI path according to RFC3986
As the RFC states (see Appendix A for a quick view), an already percentage encoded (
%\h\h
) and/a-zA-Z0-9-._~!$&'()*+,;=:@
are perfectly valid chars for the URI path. This can be expressed with below regexpHowever, refactoring
URLRecode
for being compliant with RFC3986 not only when escaping thepath
but when doing so foruserinfo
andquery
is not as easy as it might appear at first sight. Furthermore, is not even necessary for the limited YaST URI handling so far.Discouraging the use of
URLRecode
(2021-07-28)We have added a kind of deprecation note from SLE-15-SP3 on, where a
Y2Packager::ZyppUrl
class was added for dealing with libzypp urls. See #1190 and #1191Tests
$
is not being escaped byURLRecode.EscapePath
MR: https://build.suse.de/request/show/245221 (after fixing a broken test in #1185)