> You're doing "HTML-entity" decoding here. URL decoding uses only the
> "%xx" stuff. See RFC3986.
>
> + else if (*p != '%')
> + *out++ = *p;
Yes, I was treating it as an HTML form, not just a strict URI encoding.
> + /* URL decode? Really shouldn't be needed. */
> + if (strchr(p, '+') != NULL && strchr(p, '%') != NULL)
> + p = urldecode(p);
The comment was misleading and the second test isn't needed (and the && was
wrong). So:
/* URL decode? Might not be needed, so check first. */
if (strchr(p, '%') != NULL)
p = urldecode(p);
Thanks again.
So many bugs in such a small piece of code.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
