Do not unescape forward slashes in the request path (#146). #161
Conversation
|
You can strip out handling for |
| @@ -1,4 +1,4 @@ | |||
| <?xml version="1.0" encoding="utf-8"?> | |||
| <?xml version="1.0" encoding="utf-8"?> | |||
cesarblum
force-pushed
the
cesarbs/dont-unescape-forward-slash
branch
from
0e0e9f9 to
efd3b53
Compare
|
| } | ||
|
|
||
| return result; | ||
| return _cookedUriPath; // TODO: is this the right fallback? |
There was a problem hiding this comment.
Looking at it in the debugger, this looks like the right thing to do. It's the URL as unescaped by http.sys. We want our escaping to take precedence, but if it fails we have http.sys's to fall back to (that would escape %2F however).
There was a problem hiding this comment.
Have you found a test case that will trigger this fallback?
There was a problem hiding this comment.
Not really. Any bad path seems to be caught by http.sys and we never end up in this code. But if we were to hit this situation, having the cooked Uri seems like an appropriate fallback.
|
Have you compared the un-escaping algorithm used here to the one in kestrel? |
|
If anything, WebListener's behavior is more robust since it returns a 400 on malformed paths. When Kestrel sees |
cesarblum
force-pushed
the
cesarbs/dont-unescape-forward-slash
branch
2 times, most recently
from
202f60c to
c06ec7f
Compare
| @@ -87,6 +88,8 @@ public class RequestTests | |||
| [InlineData("/basepath/", "/basepath/subpath", "/basepath", "/subpath")] | |||
| [InlineData("/base path/", "/base%20path/sub path", "/base path", "/sub path")] | |||
| [InlineData("/base葉path/", "/base%E8%91%89path/sub%E8%91%89path", "/base葉path", "/sub葉path")] | |||
| [InlineData("/basepath/", "/basepath/sub%2Fpath", "/basepath", "/sub%2Fpath")] | |||
| [InlineData("/basepath/", "/basepath/sub%", "/basepath", "/sub%")] | |||
There was a problem hiding this comment.
This is misleading. The % is escaped by the client and sent as %25. That doesn't happen for the other test cases because they're recognized as valid escape sequences.
There was a problem hiding this comment.
It's especially confusing when the next test says the same input returns 400.
|
|
cesarblum
force-pushed
the
cesarbs/dont-unescape-forward-slash
branch
from
d87f0d5 to
d9e06f8
Compare
Set
RequestUriBuilder.UseCookedRequestUrltofalseto trigger raw parsing.The parsing behavior seemed wrong. It was decoding the path and re-encoding it right after. I changed this to that
_requestUriStringbuilds a decoded string.%2Fis skipped in the decoding process.The handling of
%uXXXXdoesn't seem to work. I tried adding a test for that case and http.sys hangs on it. The Wikipedia entry for percent encoding contains this note:There exists a non-standard encoding for Unicode characters: %uxxxx, where xxxx is a UTF-16 code unit represented as four hexadecimal digits. This behavior is not specified by any RFC and has been rejected by the W3C.
Do not un-escape forward slashes in the request path #146
cc @Tratcher @troydai @davidfowl