fix(uri): update path and query validation to reject DEL character#821
Open
HaiqalAly wants to merge 1 commit intohyperium:masterfrom
Open
fix(uri): update path and query validation to reject DEL character#821HaiqalAly wants to merge 1 commit intohyperium:masterfrom
HaiqalAly wants to merge 1 commit intohyperium:masterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello! 👋
This is made to address #820 bug reports where the http crate was accidentally allowing the raw ASCII DEL control character (0x7F) in URI paths and queries.
What was happening?
Before, the crate correctly allows raw UTF-8 characters in the path and query. To do this, the parser checks if a byte is in the range
0x7F..=0xFFand flags it to be validated as UTF-8 later.But,
0x7Fis theDELcontrol character! Because it's a valid 1-byte ASCII/UTF-8 character, it was passing the UTF-8 validation step and sneaking its way into the parsed URI.Proposed solution
I updated the byte range checks from
0x7F..=0xFFto0x80..=0xFF.0x80through 0xFF correctly captures all multi-byte UTF-8 sequences.0x7Fnow falls through to the default_ => return Err(...)arm, properly rejecting it as an invalid URI character just like the other ASCII control characters (0x00-0x1F).I also added two new tests (
rejects_del_in_pathandrejects_del_in_query) to make sure this stays fixed!Notes
This is technically a breaking change for any older clients that were incorrectly relying on sending raw, unescaped DEL characters in their URIs. According to the RFC 3986 spec, control characters are strictly forbidden from appearing unescaped. If a client needs to send a DEL character, they must percent-encode it as %7F.
Let me know if you need any changes or if this is intentional!