Backport #5843: URI::HTTP and Net::HTTP do not escape \n characters in the query-string - Backport193 - Ruby Issue Tracking System

Actions

Copy link

Backport #5843

closed

URI::HTTP and Net::HTTP do not escape \n characters in the query-string

Added by postmodern (Hal Brodigan) over 12 years ago. Updated almost 12 years ago.

Status:

Closed

Assignee:

akira (akira yamada)

[ruby-core:<unknown>]

Description

When building new URI::HTTP objects, \n characters in the query-string are not escaped. An unescaped \n character will cause two lines to be sent to an HTTP Server when passed to Net::HTTP.get, which causes parsing errors.

require 'uri/http'
require 'net/http'

uri = URI::HTTP.build(:host => 'www.example.com', :path => '/', :query => "hello\nworld")
Net::HTTP.get(uri)

00000000  47 45 54 20 2f 3f 68 65  6c 6c 6f 0a 77 6f 72 6c GET /?he llo.worl
00000010  64 20 48 54 54 50 2f 31  2e 31 0d 0a 41 63 63 65 d HTTP/1 .1..Acce
00000020  70 74 3a 20 2a 2f 2a 0d  0a 55 73 65 72 2d 41 67 pt: */*. .User-Ag
00000030  65 6e 74 3a 20 52 75 62  79 0d 0a 48 6f 73 74 3a ent: Rub y..Host:
00000040  20 77 77 77 2e 65 78 61  6d 70 6c 65 2e 63 6f 6d  www.exa mple.com
00000050  0d 0a 0d 0a                                      ....

Actions

Copy link

#1 [ruby-core:41906]

Updated by naruse (Yui NARUSE) over 12 years ago

Arguments given to URI.build must be escaped.
You must escape \n by yourself.

Anyway it is a bug, URI.build must raise URI::InvalidComponentError.
I'll fix it.

Actions

Copy link

Updated by naruse (Yui NARUSE) over 12 years ago

Status changed from Open to Closed
% Done changed from 0 to 100

This issue was solved with changeset r34214.
Hal, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.