Project

General

Profile

Backport #5843

URI::HTTP and Net::HTTP do not escape \n characters in the query-string

Added by postmodern (Hal Brodigan) over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
[ruby-core:<unknown>]

Description

When building new URI::HTTP objects, \n characters in the query-string are not escaped. An unescaped \n character will cause two lines to be sent to an HTTP Server when passed to Net::HTTP.get, which causes parsing errors.

require 'uri/http'
require 'net/http'

uri = URI::HTTP.build(:host => 'www.example.com', :path => '/', :query => "hello\nworld")
Net::HTTP.get(uri)

00000000  47 45 54 20 2f 3f 68 65  6c 6c 6f 0a 77 6f 72 6c GET /?he llo.worl
00000010  64 20 48 54 54 50 2f 31  2e 31 0d 0a 41 63 63 65 d HTTP/1 .1..Acce
00000020  70 74 3a 20 2a 2f 2a 0d  0a 55 73 65 72 2d 41 67 pt: */*. .User-Ag
00000030  65 6e 74 3a 20 52 75 62  79 0d 0a 48 6f 73 74 3a ent: Rub y..Host:
00000040  20 77 77 77 2e 65 78 61  6d 70 6c 65 2e 63 6f 6d  www.exa mple.com
00000050  0d 0a 0d 0a                                      ....

Associated revisions

Revision 87fe4480
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34214 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 34214
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Revision 34214
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Revision 34214
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Revision 34214
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Revision 34214
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Revision 34214
Added by naruse (Yui NARUSE) over 7 years ago

  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Revision 6cd700f3
Added by naruse (Yui NARUSE) over 7 years ago

merge revision(s) 34214:

    * lib/uri/common.rb (URI::Parser#initialize_regexp):
      use \A \z instead of ^ $. [Bug #5843]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@34761 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 34761
Added by naruse (Yui NARUSE) over 7 years ago

merge revision(s) 34214:

* lib/uri/common.rb (URI::Parser#initialize_regexp):
  use \A \z instead of ^ $. [Bug #5843]

History

Updated by naruse (Yui NARUSE) over 7 years ago

Arguments given to URI.build must be escaped.
You must escape \n by yourself.

Anyway it is a bug, URI.build must raise URI::InvalidComponentError.
I'll fix it.

#2

Updated by naruse (Yui NARUSE) over 7 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r34214.
Hal, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • lib/uri/common.rb (URI::Parser#initialize_regexp): use \A \z instead of ^ $. [Bug #5843]

Updated by postmodern (Hal Brodigan) over 7 years ago

Thanks for resolving this! Any idea when this fix will be shipped, 1.9.3-p125 still has this bug.

#4

Updated by naruse (Yui NARUSE) over 7 years ago

  • Tracker changed from Bug to Backport
  • Project changed from Ruby master to Backport193
  • Category deleted (lib)

Updated by postmodern (Hal Brodigan) about 7 years ago

Should this also be prevented in Net::HTTP with a simple URI.escape(path_query,"\n") ?

Updated by naruse (Yui NARUSE) about 7 years ago

postmodern (Hal Brodigan) wrote:

Should this also be prevented in Net::HTTP with a simple URI.escape(path_query,"\n") ?

what?

Also available in: Atom PDF