Issue #5843 has been updated by naruse (Yui NARUSE).


postmodern (Hal Brodigan) wrote:
> Should this also be prevented in Net::HTTP with a simple URI.escape(path_query,"\n") ?

what?
----------------------------------------
Backport #5843: URI::HTTP and Net::HTTP do not escape \n characters in the query-string
https://bugs.ruby-lang.org/issues/5843#change-28132

Author: postmodern (Hal Brodigan)
Status: Closed
Priority: Normal
Assignee: akira (akira yamada)
Category: 
Target version: 


When building new URI::HTTP objects, \n characters in the query-string are not escaped. An unescaped \n character will cause two lines to be sent to an HTTP Server when passed to Net::HTTP.get, which causes parsing errors.

    require 'uri/http'
    require 'net/http'
    
    uri = URI::HTTP.build(:host => 'www.example.com', :path => '/', :query => "hello\nworld")
    Net::HTTP.get(uri)

    00000000  47 45 54 20 2f 3f 68 65  6c 6c 6f 0a 77 6f 72 6c GET /?he llo.worl
    00000010  64 20 48 54 54 50 2f 31  2e 31 0d 0a 41 63 63 65 d HTTP/1 .1..Acce
    00000020  70 74 3a 20 2a 2f 2a 0d  0a 55 73 65 72 2d 41 67 pt: */*. .User-Ag
    00000030  65 6e 74 3a 20 52 75 62  79 0d 0a 48 6f 73 74 3a ent: Rub y..Host:
    00000040  20 77 77 77 2e 65 78 61  6d 70 6c 65 2e 63 6f 6d  www.exa mple.com
    00000050  0d 0a 0d 0a                                      ....



-- 
http://bugs.ruby-lang.org/