Bug #11275
closed
RFC3986_Parser accepts invalid URIs containing %
Description
URI.parse('https://www.example.com/search?q=%XX') does not raise an error despite being an invalid URI. A % in a URI must be followed by exactly two hex digits, but the RFC3986 parser does not check that in the URI query. Ruby 2.1 correctly raises an error.
Files
Updated by jimpo (Jim Posen) almost 9 years ago
Seems to have happened in commit 21ab98a997d2ed44c9c95cf5434a42561b2cd688.
Updated by usa (Usaku NAKAMURA) almost 9 years ago
- Related to Bug #10402: URI regression in 2.2.0-preview1 (bad URI(is not URI?): URI::InvalidURIError) added
Updated by jeremyevans0 (Jeremy Evans) almost 5 years ago
- File uri-parse-query-pct-encoded.patch uri-parse-query-pct-encoded.patch added
- Status changed from Open to Assigned
- Assignee set to akira (akira yamada)
I agree that this is a bug that should be fixed. The implementation automatically percent escapes invalid characters instead of rejecting them by design. However, I don't think that implies we should accept invalid percent escapes already present. Attached is a patch that should fix the issue.
Updated by jeremyevans (Jeremy Evans) over 4 years ago
- Status changed from Assigned to Closed
Applied in changeset git|7909f06212ae8df6ba7203f8152292a190b2b33a.
Check for invalid hex escapes in URI#query=
Fixes [Bug #11275]