Closed rbclark closed 2 years ago
Hello! Would you mind sharing the end result of the improperly encoded URI? Or is it the same result as the comment you linked?
Hello, yes it is the same as URI.encode_www_form_component
:
irb(main):002:0> str = "http://localhost:3001/"
=> "http://localhost:3001/"
irb(main):003:0> URI.escape(str)
(irb):3: warning: URI.escape is obsolete
=> "http://localhost:3001/"
irb(main):004:0> CGI.escape(str)
=> "http%3A%2F%2Flocalhost%3A3001%2F"
irb(main):005:0> URI.encode_www_form_component(str)
=> "http%3A%2F%2Flocalhost%3A3001%2F"
irb(main):006:0> p = URI::Parser.new
=> #<URI::RFC2396_Parser:0x000000015a1c2478>
irb(main):007:0> p.escape(str)
=> "http://localhost:3001/"
You're right, the encoding of the special characters "/" and ":" can be seen within this test case
https://github.com/paypal/paypalhttp_ruby/blob/master/spec/paypalhttp/encoder_spec.rb#L125
We will address this issue and release an update to this shortly using URI::PARSER.new, after completing validation.
Hi @rbclark,
We have just addressed this issue and deployed it. The new version can be found here: https://rubygems.org/gems/paypalhttp/versions/2.0.1.
Thank you for bringing this to our attention!
General information
Issue description
With the replacement of URI.escape with CGI.escape in 2.0.0, it is no longer possible to properly encode a return URI when using the Paypal Payflow flow. The
RETURNURL
is encoded improperly and the app redirects to the completely wrong URL. See https://github.com/paypal/paypalhttp_ruby/pull/4#issuecomment-1068402671 for more information.