Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/url: ResolveReference doesn't handled path escaping #16947

Closed
okdave opened this issue Sep 1, 2016 · 2 comments
Closed

net/url: ResolveReference doesn't handled path escaping #16947

okdave opened this issue Sep 1, 2016 · 2 comments
Labels
FrozenDueToAge
Milestone
Go1.8

Comments

@okdave
Copy link
Contributor

okdave commented Sep 1, 2016

The URL.ResolveReference method uses the unescaped version of the path (rather than RawPath), and so loses the URL's desired escaping and makes incorrect decisions if the path contains escaped slashes (%2f).

As a simple example:

base := http://example.com/foo%2fbar/
ref := ../up 
url := base.ResolveReference(ref) // == http://example.com/foo/up

The correct answer should be http://example.com/up

See https://play.golang.org/p/Xptwz1obCZ for an example comparing the behaviour of %2f and %20 (an interesting case is also with %2d – the final URL is correct, but you lose the desired escaping of the hyphen).

I think the fix is to make ResolveReference operate on the EscapedPath values, and unescape at the end.

/cc @bradfitz
@bradfitz
Copy link
Contributor

bradfitz commented Sep 1, 2016

Fun.

@okdave okdave self-assigned this Sep 1, 2016
@gopherbot
Copy link

CL https://golang.org/cl/28343 mentions this issue.

@quentinmit quentinmit added this to the Go1.8 milestone Sep 6, 2016
@golang golang locked and limited conversation to collaborators Sep 8, 2017
@rsc rsc unassigned okdave Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
Go1.8
Development

No branches or pull requests
4 participants
@bradfitz @quentinmit @okdave @gopherbot