You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The URL.ResolveReference method uses the unescaped version of the path (rather than RawPath), and so loses the URL's desired escaping and makes incorrect decisions if the path contains escaped slashes (%2f).
The correct answer should be http://example.com/up
See https://play.golang.org/p/Xptwz1obCZ for an example comparing the behaviour of %2f and %20 (an interesting case is also with %2d – the final URL is correct, but you lose the desired escaping of the hyphen).
I think the fix is to make ResolveReference operate on the EscapedPath values, and unescape at the end.
The
URL.ResolveReference
method uses the unescaped version of the path (rather thanRawPath
), and so loses the URL's desired escaping and makes incorrect decisions if the path contains escaped slashes (%2f).As a simple example:
The correct answer should be
http://example.com/up
See https://play.golang.org/p/Xptwz1obCZ for an example comparing the behaviour of %2f and %20 (an interesting case is also with %2d – the final URL is correct, but you lose the desired escaping of the hyphen).
I think the fix is to make
ResolveReference
operate on theEscapedPath
values, and unescape at the end./cc @bradfitz
The text was updated successfully, but these errors were encountered: