Issue #11275 has been updated by jeremyevans0 (Jeremy Evans).

Assignee set to akira (akira yamada)
Status changed from Open to Assigned
File uri-parse-query-pct-encoded.patch added

I agree that this is a bug that should be fixed.  The implementation automatically percent escapes invalid characters instead of rejecting them by design. However, I don't think that implies we should accept invalid percent escapes already present.  Attached is a patch that should fix the issue.

----------------------------------------
Bug #11275: RFC3986_Parser accepts invalid URIs containing %
https://bugs.ruby-lang.org/issues/11275#change-79139

* Author: jimpo (Jim Posen)
* Status: Assigned
* Priority: Normal
* Assignee: akira (akira yamada)
* Target version: 
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-darwin13]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
URI.parse('https://www.example.com/search?q=%XX') does not raise an error despite being an invalid URI. A % in a URI must be followed by exactly two hex digits, but the RFC3986 parser does not check that in the URI query. Ruby 2.1 correctly raises an error. 

---Files--------------------------------
uri-parse-query-pct-encoded.patch (1.41 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>