hlahlou-pp-dev
commented
2 years ago Hello! Would you mind sharing the end result of the improperly encoded URI? Or is it the same result as the comment you linked?
Closed rbclark closed 2 years ago
hlahlou-pp-dev
commented
2 years ago Hello! Would you mind sharing the end result of the improperly encoded URI? Or is it the same result as the comment you linked?
rbclark
commented
2 years ago Hello, yes it is the same as URI.encode_www_form_component:
irb(main):002:0> str = "http://localhost:3001/"
=> "http://localhost:3001/"
irb(main):003:0> URI.escape(str)
(irb):3: warning: URI.escape is obsolete
=> "http://localhost:3001/"
irb(main):004:0> CGI.escape(str)
=> "http%3A%2F%2Flocalhost%3A3001%2F"
irb(main):005:0> URI.encode_www_form_component(str)
=> "http%3A%2F%2Flocalhost%3A3001%2F"
irb(main):006:0> p = URI::Parser.new
=> #<URI::RFC2396_Parser:0x000000015a1c2478>
irb(main):007:0> p.escape(str)
=> "http://localhost:3001/"You're right, the encoding of the special characters "/" and ":" can be seen within this test case
https://github.com/paypal/paypalhttp_ruby/blob/master/spec/paypalhttp/encoder_spec.rb#L125
We will address this issue and release an update to this shortly using URI::PARSER.new, after completing validation.
camlau-pp-dev
commented
2 years ago Hi @rbclark,
We have just addressed this issue and deployed it. The new version can be found here: https://rubygems.org/gems/paypalhttp/versions/2.0.1.
Thank you for bringing this to our attention!
General information
Issue description
With the replacement of URI.escape with CGI.escape in 2.0.0, it is no longer possible to properly encode a return URI when using the Paypal Payflow flow. The
RETURNURLis encoded improperly and the app redirects to the completely wrong URL. See https://github.com/paypal/paypalhttp_ruby/pull/4#issuecomment-1068402671 for more information.