On Fri, Sep 26, 2014 at 08:12:37PM -0500, Salz, Rich wrote:

> > You're doing "HTML-entity" decoding here. URL decoding uses only the
> > "%xx" stuff. See RFC3986.
> > 
> > +           else if (*p != '%')
> > +                   *out++ = *p;
> 
> Yes, I was treating it as an HTML form, not just a strict URI encoding.

Decoding "+" as a space applies only in the query part of the URL,
in the base URI, "+" is a literal.  Do doing this right requires
a more sophisticated parser.

My incomplete memory of URL syntax is:

    
http://[user[:pass]@]host[:port/path1/path2/.../pathN[?param1=value1[&...]][#anchor]

with various required encodings to prevent ambiguity that are
context dependent!  Parsing URLs correctly requires a bit of care.
Are we trying to extract form data from the URL?  What is the goal
here?

> > +           /* URL decode? Really shouldn't be needed. */
> > +           if (strchr(p, '+') != NULL && strchr(p, '%') != NULL)
> > +               p = urldecode(p);
> 
> The comment was misleading and the second test isn't needed (and the && was 
> wrong). So:
>                 /* URL decode? Might not be needed, so check first. */
>                 if (strchr(p, '%') != NULL)
>                     p = urldecode(p);

The decoder does not correctly NUL terminate "p" when it shrinks
by replacing '%xx' with the corresponding octet.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to