> You're doing "HTML-entity" decoding here. URL decoding uses only the > "%xx" stuff. See RFC3986. > > + else if (*p != '%') > + *out++ = *p;
Yes, I was treating it as an HTML form, not just a strict URI encoding. > + /* URL decode? Really shouldn't be needed. */ > + if (strchr(p, '+') != NULL && strchr(p, '%') != NULL) > + p = urldecode(p); The comment was misleading and the second test isn't needed (and the && was wrong). So: /* URL decode? Might not be needed, so check first. */ if (strchr(p, '%') != NULL) p = urldecode(p); Thanks again. So many bugs in such a small piece of code. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org