From: jim.posen@...
Date: 2015-06-17T01:49:32+00:00
Subject: [ruby-core:69625] [Ruby trunk - Bug #10619] URI::HTTP#query= behavior changed for 2396 uris

Issue #10619 has been updated by Jim Posen.


In [r48934](https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/48934), why were both the RFC 2396 and RFC 3986 parsers changed to allow unescaped square brackets? The RFC 3986 spec does not allow square brackets. In @tenderlove's attached patch, [ and ] are still escaped when the RFC 3986 parser is used.

Also, the RFC 3986 parser accepts URIs with a % that is not followed by hex digits, which should be forbidden.

----------------------------------------
Bug #10619: URI::HTTP#query= behavior changed for 2396 uris
https://bugs.ruby-lang.org/issues/10619#change-52970

* Author: Aaron Patterson
* Status: Closed
* Priority: Normal
* Assignee: Yui NARUSE
* ruby -v: ruby 2.2.0dev (2014-12-18 trunk 48886) [x86_64-darwin14]
* Backport: 2.0.0: DONTNEED, 2.1: DONTNEED, 2.2: DONE
----------------------------------------
Hi,

r48244 changed the behavior of the query method on uri objects generated by the 2396 parser.  Here is a test to demonstrate the change:

~~~
require 'test/unit'
require 'uri'

module URI

class TestRFC2396 < Test::Unit::TestCase
  def test_query_on_parse
    parser = URI::RFC2396_Parser.new
    uri = parser.parse "http://www.example.com/parse?location[]=1"
    assert_equal 'location[]=1', uri.query
  end
end

end
~~~

This test passed before r48244.  I've attached a patch that fixes it and maintains the fix for Bug #10402

---Files--------------------------------
0001-use-the-parser-type-to-escape-the-query-string.patch (2.28 KB)


-- 
https://bugs.ruby-lang.org/