search

sporkmonger / addressable

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.
Apache License 2.0
1.56k stars 265 forks source link

Disallow backtick in host #511

Open greenfork opened 1 year ago

greenfork commented 1 year ago

The tilde backtick symbol (`) seems allowed in the host. In the spec it is not allowed:

host          = IP-literal / IPv4address / reg-name
reg-name      = *( unreserved / pct-encoded / sub-delims )
unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="
require "addressable"

Addressable::URI.parse("htttp://`www.example.com")
#=> #<Addressable::URI:0x3c URI:htttp://`www.example.com>
dentarg commented 1 year ago

Yeah this looks like a bug

uri blows up on it:

irb(main):004:0> URI.parse("http://`www.example.com")
/Users/dentarg/.rubies/3.2.2/lib/ruby/3.2.0/uri/rfc3986_parser.rb:66:in `split': bad URI(is not URI?): "http://`www.example.com" (URI::InvalidURIError)
    from /Users/dentarg/.rubies/3.2.2/lib/ruby/3.2.0/uri/rfc3986_parser.rb:71:in `parse'
    from /Users/dentarg/.rubies/3.2.2/lib/ruby/3.2.0/uri/common.rb:193:in `parse'
    from (irb):4:in `<main>'
    from /Users/dentarg/.rubies/3.2.2/lib/ruby/gems/3.2.0/gems/irb-1.6.2/exe/irb:11:in `<top (required)>'
    from /Users/dentarg/.rubies/3.2.2/bin/irb:25:in `load'
    from /Users/dentarg/.rubies/3.2.2/bin/irb:25:in `<main>'