URI Unicode handling #308
Comments
|
Thanks for the report. Seems like such a change would break existing cases where the action is already correctly percent escaped, so this wouldn't be a backwards compatible change. Therefore, automatically escaping the argument would have to be added as a option (either plugin option, method option, or both). |
|
After more thought, I don't think it's worth it to add an option for this. So I'll just update the documentation to make it clear that appropriate URL encoding is expected. |
|
URL-encoding is something that works when you directly work with Ruby URI:
But even when the user put URL-encoded Unicode in a parameter in it's browser that's not necessarily what will come to Roda. It will depends how the web browser, reverse proxy and application server will judge to decode it or not. |
|
There are options to handle that and without re-encoding already encoded parts:
Also see my comment here ruby/webrick#110 (comment) and here ruby/webrick#110 (comment) |
Both approaches are slower and prone to security issues:
In general it's a bad idea for library code to make guesses as to whether to encode. It should always work in the same way. It's simpler and backwards compatible to assume it is always already properly encoded. While we could add an option to toggle the behavior, I think it's better to document the expected behavior. Users can and should make sure the URL or URL path they are passing is valid. |
|
Upstream issue ruby/uri#40 |
This code will trigger
URI must be ascii only (URI::InvalidURIError)when Unicode is used.roda/lib/roda/plugins/route_csrf.rb
Line 240 in 81a93bc
URI.parse(URI::Parser.new.escape(url))should be used instead.cf. https://stackoverflow.com/questions/46849219/ruby-uriinvalidurierror-uri-must-be-ascii-only/75487328
The text was updated successfully, but these errors were encountered: