[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] evhttp_encode_uri() fails to escape certain characters

To: libevent-users@xxxxxxxxxxxxx
Subject: Re: [Libevent-users] evhttp_encode_uri() fails to escape certain characters
From: Clint Webb <webb.clint@xxxxxxxxx>
Date: Thu, 7 Oct 2010 15:04:22 +0800
Delivered-to: archiver@xxxxxxxx
Delivered-to: libevent-users-outgoing@xxxxxxxx
Delivered-to: libevent-users@xxxxxxxx
Delivery-date: Thu, 07 Oct 2010 03:06:50 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:content-type :content-transfer-encoding; bh=uw5JihJo/Rg93eBiZ1h4u6/GsJCrQYV9Lt/iiOkwZks=; b=kc/NKlOuSUTGYx6irPBYZej3zbM/BCHYi/gLD1abqens7c6RxPSj5t8ZAWeqh2ro8w 6bFTzox70wxuzTfwO3v88mWFRLsVUUtEEiNG37ScrgXhLmeY1+uDwOorCqeh9ZiEMso3 ndeis2Vnp2mNtO6tAejMpE9NO8Kktzz24/gFs=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; b=ECDvy3/mmj2bMBvhHStHZXMxq6hkI8Wu+KMcy0xdvTCJyUEwtbuD+A9qPnzMgXzdUS opEQhinUlu+zvgoAZSBDOyAQJr2c0zNQKFMc8e48L5pOTGz0+PDYnjZ2HI/3T6fE+2Mu GuTqObAfuKkV47rDTML9FSvsHO0nxesOBlftQ=
In-reply-to: <AANLkTi=Bm+z_HCAAee3AqCa2KDbMLEDy47E_v_ro2Z2c@xxxxxxxxxxxxxx>
References: <4C9D0831.3080201@xxxxxxxxxx> <AANLkTi=Bm+z_HCAAee3AqCa2KDbMLEDy47E_v_ro2Z2c@xxxxxxxxxxxxxx>
Reply-to: libevent-users@xxxxxxxxxxxxx
Sender: owner-libevent-users@xxxxxxxxxxxxx

On Thu, Oct 7, 2010 at 1:12 AM, Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote:
> On Fri, Sep 24, 2010 at 4:21 PM, Bas Verhoeven <libevent@xxxxxxxxxx> wrote:

> But what if somebody is saying something iffy like
>    asprintf(&query1, "q1=%s", v1);
>    asprintf(&query2, "q2=%s", v2);
>    encoded1 = evhttp_encode_uri(query1);
>    encoded2 = evhttp_encode_uri(query2);
>    asprintf(&url, "http://example.com?%s&%s";, encoded1, encoded2);
> ?
>
> If they were relying on the previous broken behavior of
> evhttp_encode_uri(), changing it to do the right thing will break
> them.  Of course, their code is already broken if they were relying on
> evhttp_encode_uri() actually encoding + characters reliably, so
> they're not in good shape either way.
>
> I've looked through the first few pages of google codesearch results
> for evhttp_encode_uri, and not found anything that suggests someone is
> doing this broken-but-almost-working thing.
>
> So, time to go ahead and make this change?  The affected characters
> are "!$'()*+,/:=@"
>

Almost.  But keep in mind, that the value (the key as well actually)
should be encoded seperately, not as a single unit.   In your above
example, the = should get encoded and not exactly as you thought.

So if the data you are encoding happens to be "a=b+c", what would you
get if you encoded it along with the "q1=" part?   If you encode
"q1=a=b+c" you should end up with "q1%3Da%3Db%2Bc" which is not what
you want.  You want to encode the "a=b+c" part and add it to "q1=".

Incidentally, if the user has any control of the key name, then you
will definately want to encode the key part too.

-- 
"Be excellent to each other"
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.

References:
- Re: [Libevent-users] evhttp_encode_uri() fails to escape certain characters
  - From: Nick Mathewson

Prev by Author: [Libevent-users] Libevent 2.0.8 crashes on Windows without WSAStartup
Next by Author: Re: [Libevent-users] Libevent 2.0.8 crashes on Windows without WSAStartup
Previous by thread: Re: [Libevent-users] evhttp_encode_uri() fails to escape certain characters
Next by thread: [Libevent-users] 1.4 evdns: can have duplicate transaction ids
Index(es):
- Author
- Thread