On Fri, Sep 26, 2014 at 08:12:37PM -0500, Salz, Rich wrote: > > You're doing "HTML-entity" decoding here. URL decoding uses only the > > "%xx" stuff. See RFC3986. > > > > + else if (*p != '%') > > + *out++ = *p; > > Yes, I was treating it as an HTML form, not just a strict URI encoding.
Decoding "+" as a space applies only in the query part of the URL, in the base URI, "+" is a literal. Do doing this right requires a more sophisticated parser. My incomplete memory of URL syntax is: http://[user[:pass]@]host[:port/path1/path2/.../pathN[?param1=value1[&...]][#anchor] with various required encodings to prevent ambiguity that are context dependent! Parsing URLs correctly requires a bit of care. Are we trying to extract form data from the URL? What is the goal here? > > + /* URL decode? Really shouldn't be needed. */ > > + if (strchr(p, '+') != NULL && strchr(p, '%') != NULL) > > + p = urldecode(p); > > The comment was misleading and the second test isn't needed (and the && was > wrong). So: > /* URL decode? Might not be needed, so check first. */ > if (strchr(p, '%') != NULL) > p = urldecode(p); The decoder does not correctly NUL terminate "p" when it shrinks by replacing '%xx' with the corresponding octet. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org