Project

General

Profile

Actions

Backport #5843

closed

URI::HTTP and Net::HTTP do not escape \n characters in the query-string

Added by postmodern (Hal Brodigan) almost 13 years ago. Updated over 12 years ago.

Status:
Closed
[ruby-core:<unknown>]

Description

When building new URI::HTTP objects, \n characters in the query-string are not escaped. An unescaped \n character will cause two lines to be sent to an HTTP Server when passed to Net::HTTP.get, which causes parsing errors.

require 'uri/http'
require 'net/http'

uri = URI::HTTP.build(:host => 'www.example.com', :path => '/', :query => "hello\nworld")
Net::HTTP.get(uri)

00000000  47 45 54 20 2f 3f 68 65  6c 6c 6f 0a 77 6f 72 6c GET /?he llo.worl
00000010  64 20 48 54 54 50 2f 31  2e 31 0d 0a 41 63 63 65 d HTTP/1 .1..Acce
00000020  70 74 3a 20 2a 2f 2a 0d  0a 55 73 65 72 2d 41 67 pt: */*. .User-Ag
00000030  65 6e 74 3a 20 52 75 62  79 0d 0a 48 6f 73 74 3a ent: Rub y..Host:
00000040  20 77 77 77 2e 65 78 61  6d 70 6c 65 2e 63 6f 6d  www.exa mple.com
00000050  0d 0a 0d 0a                                      ....

Updated by naruse (Yui NARUSE) almost 13 years ago

Arguments given to URI.build must be escaped.
You must escape \n by yourself.

Anyway it is a bug, URI.build must raise URI::InvalidComponentError.
I'll fix it.

Actions #2

Updated by naruse (Yui NARUSE) almost 13 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r34214.
Hal, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • lib/uri/common.rb (URI::Parser#initialize_regexp):
    use \A \z instead of ^ $. [Bug #5843]

Updated by postmodern (Hal Brodigan) over 12 years ago

Thanks for resolving this! Any idea when this fix will be shipped, 1.9.3-p125 still has this bug.

Actions #4

Updated by naruse (Yui NARUSE) over 12 years ago

  • Tracker changed from Bug to Backport
  • Project changed from Ruby master to Backport193
  • Category deleted (lib)

Updated by postmodern (Hal Brodigan) over 12 years ago

Should this also be prevented in Net::HTTP with a simple URI.escape(path_query,"\n") ?

Updated by naruse (Yui NARUSE) over 12 years ago

postmodern (Hal Brodigan) wrote:

Should this also be prevented in Net::HTTP with a simple URI.escape(path_query,"\n") ?

what?

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0