[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] evhttp_encode_uri() fails to escape certain characters



On Thu, Oct 7, 2010 at 1:12 AM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> On Fri, Sep 24, 2010 at 4:21 PM, Bas Verhoeven <libevent@xxxxxxxxxx> wrote:

> But what if somebody is saying something iffy like
>    asprintf(&query1, "q1=%s", v1);
>    asprintf(&query2, "q2=%s", v2);
>    encoded1 = evhttp_encode_uri(query1);
>    encoded2 = evhttp_encode_uri(query2);
>    asprintf(&url, "http://example.com?%s&%s";, encoded1, encoded2);
> ?
>
> If they were relying on the previous broken behavior of
> evhttp_encode_uri(), changing it to do the right thing will break
> them.  Of course, their code is already broken if they were relying on
> evhttp_encode_uri() actually encoding + characters reliably, so
> they're not in good shape either way.
>
> I've looked through the first few pages of google codesearch results
> for evhttp_encode_uri, and not found anything that suggests someone is
> doing this broken-but-almost-working thing.
>
> So, time to go ahead and make this change?  The affected characters
> are "!$'()*+,/:=@"
>

Almost.  But keep in mind, that the value (the key as well actually)
should be encoded seperately, not as a single unit.   In your above
example, the = should get encoded and not exactly as you thought.

So if the data you are encoding happens to be "a=b+c", what would you
get if you encoded it along with the "q1=" part?   If you encode
"q1=a=b+c" you should end up with "q1%3Da%3Db%2Bc" which is not what
you want.  You want to encode the "a=b+c" part and add it to "q1=".

Incidentally, if the user has any control of the key name, then you
will definately want to encode the key part too.


-- 
"Be excellent to each other"
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.