Bug #8612

nil in ERB::Util.url_encode

Added by Fotos Georgiadis 10 months ago. Updated 8 months ago.

Assignee:Takeyuki FUJIOKA
Target version:-
ruby -v:1.9.3p448, 2.0.0p255 Backport:1.9.3: UNKNOWN, 2.0.0: UNKNOWN


We hit a bug while using Rails and trying to URL encode an ActiveSupport::SafeBuffer. I have managed to reproduce it using a small test case for Ruby 1.9.3 and Ruby 2.0.0 (both attached) that shows a minimum set of requirements to trigger the bug. The issue seems to be fixed in trunk (2.1) but I couldn't find the relevant commit(s).

To reproduce:
require 'erb'

class MyString < String
def to_s

def gsub(*args, &block)
  to_str.gsub(*args, &block)


string = "\xCE\x94\xCE\xBF\xCE\xBA\xCE\xB9\xCE\xBC\xCE\xAE".force_encoding("UTF-8")


Expected outcome:

The URL encoding should work and it should encode the characters properly (according to the spec).

Actual outcome:

NoMethodError: undefined method unpack' for nil:NilClass
block in urlencode'
erb.rb:71:in gsub'
/Users/fotos/Playground/OpenSource/ruby/lib/erb.rb:951:in url_encode'



Yielding the match and using it instead of $& (last match) seems to work properly as demonstrated in the patch.


PS. Some credits go out to Aggelos Orfanakos (@agorf) for triggering the bug! :-)

ruby_1_9_3_url_encode_issue.patch Magnifier - Ruby 1.9.3 patch for ERB::Util.url_encode (1.49 KB) Fotos Georgiadis, 07/09/2013 12:58 AM

ruby_2_0_0_url_encode_issue.patch Magnifier - Ruby 2.0.3 patch for ERB::Util.url_encode (1.49 KB) Fotos Georgiadis, 07/09/2013 12:58 AM

ruby_1_9_3_cgi_escape_issue.patch Magnifier - Ruby 1.9.3 patch for CGI::escape / unescape (1.03 KB) Fotos Georgiadis, 07/11/2013 11:08 PM

ruby_2_0_0_cgi_escape_issue.patch Magnifier - Ruby 2.0.0 patch for CGI::escape / unescape (1.09 KB) Fotos Georgiadis, 07/11/2013 11:08 PM

Related issues

Related to ruby-trunk - Feature #8648: unuse special global variable in erb/cgi methods Closed 07/17/2013


#1 Updated by Zachary Scott 10 months ago

  • Category set to lib
  • Status changed from Open to Assigned
  • Assignee set to Masatoshi Seki

#2 Updated by Fotos Georgiadis 10 months ago

The same issue exists in (({CGI::escape})). Internally it calls (({$1.bytesize})) and (({$1})) is (({nil})).

For example calling:


results in:

NoMethodError: undefined method bytesize' for nil:NilClass
from ruby-1.9.3-p194/lib/ruby/1.9.1/cgi/util.rb:8:in
block in escape'

I didn't test this with the latest stable versions of 1.9 or 2.0 but looking at the code it appears to be the same issue (global variables (({$1})), (({$2})), (({$`})), (({$&})), and (({$'})) appear to be (({nil}))). Yielding and using the match in gsub also solves the problem.



#3 Updated by Takeyuki FUJIOKA 10 months ago

  • Assignee changed from Masatoshi Seki to Takeyuki FUJIOKA

seki leave to xibbar.

#4 Updated by Takeyuki FUJIOKA 9 months ago

  • Status changed from Assigned to Rejected

This is not a bug.
Because implemented string class is not supported.
But I think this proposal is good.
I will merge to trunk.
Thank you.

#5 Updated by Fotos Georgiadis 8 months ago

xibbar (Takeyuki FUJIOKA) wrote:

Thank you.

Thank you for merging this.

Also available in: Atom PDF