Bug #11275

RFC3986_Parser accepts invalid URIs containing %

Added by jimpo (Jim Posen) almost 5 years ago. Updated 8 months ago.

Target version:
ruby -v:
ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-darwin13]


URI.parse('') does not raise an error despite being an invalid URI. A % in a URI must be followed by exactly two hex digits, but the RFC3986 parser does not check that in the URI query. Ruby 2.1 correctly raises an error.


uri-parse-query-pct-encoded.patch (1.41 KB) uri-parse-query-pct-encoded.patch jeremyevans0 (Jeremy Evans), 07/05/2019 10:00 PM

Related issues

Related to Ruby master - Bug #10402: URI regression in 2.2.0-preview1 (bad URI(is not URI?): URI::InvalidURIError)Closednaruse (Yui NARUSE)Actions

Updated by usa (Usaku NAKAMURA) almost 5 years ago

  • Related to Bug #10402: URI regression in 2.2.0-preview1 (bad URI(is not URI?): URI::InvalidURIError) added

Updated by jeremyevans0 (Jeremy Evans) 11 months ago

I agree that this is a bug that should be fixed. The implementation automatically percent escapes invalid characters instead of rejecting them by design. However, I don't think that implies we should accept invalid percent escapes already present. Attached is a patch that should fix the issue.


Updated by jeremyevans (Jeremy Evans) 8 months ago

  • Status changed from Assigned to Closed

Applied in changeset git|7909f06212ae8df6ba7203f8152292a190b2b33a.

Check for invalid hex escapes in URI#query=

Fixes [Bug #11275]

Also available in: Atom PDF