ruby-changes:58163
From: Jeremy <ko1@a...>
Date: Tue, 8 Oct 2019 23:31:20 +0900 (JST)
Subject: [ruby-changes:58163] 7909f06212 (master): Check for invalid hex escapes in URI#query=
https://git.ruby-lang.org/ruby.git/commit/?id=7909f06212 From 7909f06212ae8df6ba7203f8152292a190b2b33a Mon Sep 17 00:00:00 2001 From: Jeremy Evans <code@j...> Date: Fri, 5 Jul 2019 14:45:19 -0700 Subject: Check for invalid hex escapes in URI#query= Fixes [Bug #11275] diff --git a/lib/uri/generic.rb b/lib/uri/generic.rb index ea79e79..c672d15 100644 --- a/lib/uri/generic.rb +++ b/lib/uri/generic.rb @@ -836,6 +836,7 @@ module URI https://github.com/ruby/ruby/blob/trunk/lib/uri/generic.rb#L836 v.encode!(Encoding::UTF_8) rescue nil v.delete!("\t\r\n") v.force_encoding(Encoding::ASCII_8BIT) + raise InvalidURIError, "invalid percent escape: #{$1}" if /(%\H\H)/n.match(v) v.gsub!(/(?!%\h\h|[!$-&(-;=?-_a-~])./n.freeze){'%%%02X' % $&.ord} v.force_encoding(Encoding::US_ASCII) @query = v diff --git a/test/uri/test_parser.rb b/test/uri/test_parser.rb index 088628a..b13a26c 100644 --- a/test/uri/test_parser.rb +++ b/test/uri/test_parser.rb @@ -40,6 +40,11 @@ class URI::TestParser < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/uri/test_parser.rb#L40 uri_to_ary(u1)) end + def test_parse_query_pct_encoded + assert_equal('q=%32!$&-/?.09;=:@AZ_az~', URI.parse('https://www.example.com/search?q=%32!$&-/?.09;=:@AZ_az~').query) + assert_raise(URI::InvalidURIError) { URI.parse('https://www.example.com/search?q=%XX') } + end + def test_raise_bad_uri_for_integer assert_raise(URI::InvalidURIError) do URI.parse(1) -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/