Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/url: shouldEscape encodePath issue - RFC3986 #7914

Closed
gopherbot opened this issue May 1, 2014 · 4 comments
Closed

net/url: shouldEscape encodePath issue - RFC3986 #7914

gopherbot opened this issue May 1, 2014 · 4 comments
Labels
FrozenDueToAge

Comments

@gopherbot
Copy link

by aaron.blohowiak:

What does 'go version' print?

  go version go1.2.1 darwin/amd64
  I checked the source in tip and the problem is also there.

What steps reproduce the problem?
If possible, include a link to a program on play.golang.org.

  http://play.golang.org/p/4ZbUkex2Wm

What happened?

  RequestURI() returns a path with many valid characters escaped.

What should have happened instead?

  All sub-delim characters MUST NOT be escaped.

Please provide any additional information below.

  Using the ReverseProxy breaks OAuth signing verification because of url.URL RequestURI()'s incorrect replacement of reserved characters with their encoded counterparts in shouldEncode(). There is a workaround of creating a custom Director that looks at the RequestURI and performs the correct parsing and escaping, populating the req.URL.Opaque and draining the req.URL.Path, but it would be better for the std library to do the right thing. Code that relies on the current escaping behavior is wrong, so I do not believe that fixing this would violate the stability guarantee.

  This violates the http spec: rfc3986 §2.2 Reserved Characters
   
  The purpose of reserved characters is to provide a set of delimiting characters that are distinguishable from other data within a URI. URIs that differ in the replacement of a reserved character with its corresponding percent-encoded octet are not equivalent. Percent-encoding a reserved character, or decoding a percent-encoded octet that corresponds to a reserved character, will change how the URI is interpreted by most applications.  Thus, characters in the reserved set are protected from normalization and are therefore safe to be used by scheme-specific and producer-specific algorithms for delimiting data subcomponents within a URI.
@gopherbot
Copy link
Author

Comment 1 by aaron.blohowiak:

The spec is also violated in how user passwords are encoded, as sub-delims are also
allowed in userinfo:
   userinfo      = *( unreserved / pct-encoded / sub-delims / ":" )

@bradfitz
Copy link
Contributor

bradfitz commented May 1, 2014

Comment 2:

I feel like this has been discussed already. Please search this bug tracker and
golang-nuts or golang-dev to find previous discussions? Maybe it's a dup.

@gopherbot
Copy link
Author

Comment 4 by aaron.blohowiak:

Duplicates 5684

@bradfitz
Copy link
Contributor

bradfitz commented May 1, 2014

Comment 5:

Status changed to Duplicate.

Merged into issue #5684.

@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bradfitz @gopherbot