Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dealing with whitespaces in URI #619

Open
nyamsprod opened this issue Jan 13, 2025 · 2 comments
Open

Dealing with whitespaces in URI #619

nyamsprod opened this issue Jan 13, 2025 · 2 comments

Comments

@nyamsprod
Copy link

Description

According to RFC3986 an URI with spaces should not be parsable. It should throw so the following 3 URI should throw:

Example

Additional context

Because parse_url is not following RFC3986 all implementations that do rely on it will gladly let those URI pass when they should not see https://3v4l.org/iur9H

Maybe a test should be added to the test suite to fix this issue.

Of course the issue is not applicable for PSR-7 with* methods which MUST normalized the input and thus will convert any spaces into %20 character.

For reference when using URI implementing objects:

League\Uri\Http::new(' http://example.com/ foo?bar=baz#quz '); // will throw (on the master branch)
new \Laminas\Diactoros\Uri(' http://example.com/ foo?bar=baz#quz '); // will return a URI without a scheme and without an authority
new \GuzzleHttp\Psr7\Uri(' http://example.com/ foo?bar=baz#quz '); // will return an URI with a scheme and an authority

Of course the instantiation is not included in tests but I presume that the UriFactoryInterface::createUri will behave in the same manner in those packages.

I opened a similar issue on laminas-diactoros
@GrahamCampbell
Copy link
Member

While the spec says this, in the real world, nobody follows the spec. This is unfortunate, in particularly because browsers very don't follow the specs. When faced with mimicking what browsers do, and strict spec compliance, we typically go with what browsers do. cURL takes the same approach. All that aside, I believe the very first space character before the scheme is an issue, and we are doing the wrong thing specially with that one.

@nyamsprod
Copy link
Author

using turl from cURL: https://github.com/curl/trurl the submitted URI all fail. So I believe the cURL also will complain about those URL.

Having said that yes they do not fail on browsers but that's because browser follow WHATWG specs which are different from RFC3986.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nyamsprod @GrahamCampbell