net/url: Request with %2F is not transmitted correctly #10887
Labels
Comments
|
Please see http://golang.org/pkg/net/url/#URL
Note that the Path field is stored in decoded form: /%47%6f%2f becomes
/Go/. A consequence is that it is impossible to tell which slashes in the
Path were slashes in the raw URL and which were %2f. This distinction is
rarely important, but when it is a client must use other routines to parse
the raw URL or construct the parsed URL. For example, an HTTP server can
consult req.RequestURI, and an HTTP client can use URL{Host: "example.com",
Opaque: "//example.com/Go%2f"} instead of URL{Host: "example.com", Path:
"/Go/"}.
|
rsc
added a commit
that referenced
this issue
Jun 22, 2015
Historically we have declined to try to provide real support for URLs that contain %2F in the path, but they seem to be popping up more often, especially in (arguably ill-considered) REST APIs that shoehorn entire paths into individual path elements. The obvious thing to do is to introduce a URL.RawPath field that records the original encoding of Path and then consult it during URL.String and URL.RequestURI. The problem with the obvious thing is that it breaks backward compatibility: if someone parses a URL into u, modifies u.Path, and calls u.String, they expect the result to use the modified u.Path and not the original raw encoding. Split the difference by treating u.RawPath as a hint: the observation is that there are many valid encodings of u.Path. If u.RawPath is one of them, use it. Otherwise compute the encoding of u.Path as before. If a client does not use RawPath, the only change will be that String selects a different valid encoding sometimes (the original passed to Parse). This ensures that, for example, HTTP requests use the exact encoding passed to http.Get (or http.NewRequest, etc). Also add new URL.EscapedPath method for access to the actual escaped path. Clients should use EscapedPath instead of reading RawPath directly. All the old workarounds remain valid. Fixes #5777. Might help #9859. Fixes #7356. Fixes #8767. Fixes #8292. Fixes #8450. Fixes #4860. Fixes #10887. Fixes #3659. Fixes #8248. Fixes #6658. Reduces need for #2782. Change-Id: I77b88f14631883a7d74b72d1cf19b0073d4f5473 Reviewed-on: https://go-review.googlesource.com/11302 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
go version 1.4.2, Linux x64
When trying to form an URL with escaped "/" (%2F) the handling in net/url either removes the escaping or does double escaping (in which case the requested URL is wrong).
http://play.golang.org/p/1vDHT_p-cZ
The same issue of course makes calling the http.NewRequest also impossible as the given URL is not honored (escaped characters are removed, since the method calls url.Parse) and the wrong URL is called on the other end.
Expected result: QueryEscaped URL should not be modified. Has resemblance to issue #2782
The text was updated successfully, but these errors were encountered: