Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

url.Parse incorrectly unescapes "%2F" back into a literal slash #6658

Closed
gopherbot opened this issue Oct 24, 2013 · 1 comment
Closed

url.Parse incorrectly unescapes "%2F" back into a literal slash #6658

gopherbot opened this issue Oct 24, 2013 · 1 comment
Labels
FrozenDueToAge

Comments

@gopherbot
Copy link
Contributor

by Jens.Alfke:

url.Parse changes escaped “/“ characters (“%2F”) back into literal slashes. This
alters the meaning of the URL, and will cause trouble with HTTP handlers if they need to
accept path components containing slashes.

Here’s a playground example: http://play.golang.org/p/3q4yN7QsGf
It demonstrates that calling
    url.Parse("http://example.com/AC%2FDC/Back%20In%20Black”)
results in the URL
    http://example.com/AC/DC/Back%20In%20Black
where the %2F has incorrectly been unescaped into a “/“. 

This will cause trouble when an HTTP handler breaks the path apart — imagine a REST
server that returns info about a record album given a GET to the path
“/artist/albumname”. Works great until you look up AC/DC — you encode the artist
as “AC%2FDC” then plug that into a URL, but the Go side unescapes the %2F, and the
path components end up as [“AC”, “DC”, “Back In Black”] which of course
doesn’t work.

As a more serious example, CouchDB's REST API allows document IDs to contain slash
characters, which then have to be escaped in URLs. I'm implementing a CouchDB-compatible
server (https://github.com/couchbase/sync_gateway) which cannot correctly handle such
documents.

I can't think of a way for an HTTP handler to work around this, because the URL that it
gets in the Request object has already been damaged, and I don't think it can find the
original raw URL string from the client.

What steps will reproduce the problem?
Run http://play.golang.org/p/3q4yN7QsGf

What is the expected output?
Path components decode as ["AC/DC", "Back In Black"]

What do you see instead?
Path components decode as ["AC", "DC", "Back In Black"].
The example panics.

Which compiler are you using (5g, 6g, 8g, gccgo)?
go build

Which operating system are you using?
Mac OS X 10.9

Which version are you using?  (run 'go version')
1.1.2
@adg
Copy link
Contributor

adg commented Oct 25, 2013

Comment 1:

Sadly I don't think we can do anything about this. See issue #3659 for a workaround.

Status changed to Duplicate.

Merged into issue #3659.

rsc added a commit that referenced this issue Jun 22, 2015
@rsc
net/url: add RawPath field, a hint at the desired encoding of Path
874a605 
Historically we have declined to try to provide real support for URLs
that contain %2F in the path, but they seem to be popping up more
often, especially in (arguably ill-considered) REST APIs that shoehorn
entire paths into individual path elements.

The obvious thing to do is to introduce a URL.RawPath field that
records the original encoding of Path and then consult it during
URL.String and URL.RequestURI. The problem with the obvious thing
is that it breaks backward compatibility: if someone parses a URL
into u, modifies u.Path, and calls u.String, they expect the result
to use the modified u.Path and not the original raw encoding.

Split the difference by treating u.RawPath as a hint: the observation
is that there are many valid encodings of u.Path. If u.RawPath is one
of them, use it. Otherwise compute the encoding of u.Path as before.

If a client does not use RawPath, the only change will be that String
selects a different valid encoding sometimes (the original passed
to Parse).

This ensures that, for example, HTTP requests use the exact
encoding passed to http.Get (or http.NewRequest, etc).

Also add new URL.EscapedPath method for access to the actual
escaped path. Clients should use EscapedPath instead of
reading RawPath directly.

All the old workarounds remain valid.

Fixes #5777.
Might help #9859.
Fixes #7356.
Fixes #8767.
Fixes #8292.
Fixes #8450.
Fixes #4860.
Fixes #10887.
Fixes #3659.
Fixes #8248.
Fixes #6658.
Reduces need for #2782.

Change-Id: I77b88f14631883a7d74b72d1cf19b0073d4f5473
Reviewed-on: https://go-review.googlesource.com/11302
Reviewed-by: Brad Fitzpatrick <[email protected]>
@duglin duglin mentioned this issue Nov 25, 2015
Closed
@golang golang locked and limited conversation to collaborators Jun 25, 2016
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adg @gopherbot