search

libwww-perl / URI

The Perl URI module
https://metacpan.org/pod/URI
Other
41 stars 48 forks source link

Newer URI::Escape versions break LWP::Curl #115

Closed oalders closed 1 year ago

oalders commented 1 year ago

https://rt.cpan.org/Ticket/Display.html?id=144758

Thanks to @andk for the report!

Would be helpful to add a GitHub action test for the downstream dep as well.

oalders commented 1 year ago

See https://github.com/libwww-perl/URI/pull/116

haarg commented 1 year ago

LWP::Curl is going this:

uri_escape($url, "[^:./]")

This is obviously attempting to use a negative character class, but is doing so incorrectly. On older versions of URI, the actual result is not escaping everything, or possibly throwing an error. It would construct a regex /[[^:.\/]]/, which matches one of [, ^, ., or \ followed by a ]. If this ever did match, such as a URL containing [], it would fail to encode the two character sequence and then give a bogus error.

With the new URI, it escapes any of the characters [, ^, :, ., /, and ]. While this does not match the expectations of the module, it feels like more appropriate behavior.

If this did act as a negative character class, it would also be broken. It would be escaping most characters, including all normal word characters. This would also break the test.

I think this is just a module bug, and we can ignore it.