From: merch-redmine@... Date: 2019-07-05T22:14:03+00:00 Subject: [ruby-core:93567] [Ruby master Bug#11275] RFC3986_Parser accepts invalid URIs containing % Issue #11275 has been updated by jeremyevans0 (Jeremy Evans). Assignee set to akira (akira yamada) Status changed from Open to Assigned File uri-parse-query-pct-encoded.patch added I agree that this is a bug that should be fixed. The implementation automatically percent escapes invalid characters instead of rejecting them by design. However, I don't think that implies we should accept invalid percent escapes already present. Attached is a patch that should fix the issue. ---------------------------------------- Bug #11275: RFC3986_Parser accepts invalid URIs containing % https://bugs.ruby-lang.org/issues/11275#change-79139 * Author: jimpo (Jim Posen) * Status: Assigned * Priority: Normal * Assignee: akira (akira yamada) * Target version: * ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-darwin13] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- URI.parse('https://www.example.com/search?q=%XX') does not raise an error despite being an invalid URI. A % in a URI must be followed by exactly two hex digits, but the RFC3986 parser does not check that in the URI query. Ruby 2.1 correctly raises an error. ---Files-------------------------------- uri-parse-query-pct-encoded.patch (1.41 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: