Fix router matching pre-encoded URLs #8898
Conversation
Dreamsorcerer
added
backport-3.10
psf-chronographer
bot
added
the
bot:chronographer:provided
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found. Additional details and impacted files@@ Coverage Diff @@
## master #8898 +/- ##
=======================================
Coverage 98.27% 98.28%
=======================================
Files 107 107
Lines 34226 34221 -5
Branches 4058 4058
=======================================
- Hits 33637 33633 -4
+ Misses 416 415 -1
Partials 173 173
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
I'm not too sure about this, but I think everything is working and passing if I make this change to yarl: diff --git a/yarl/_quoting_py.py b/yarl/_quoting_py.py
index 585a1da..fc20b37 100644
--- a/yarl/_quoting_py.py
+++ b/yarl/_quoting_py.py
@@ -158,7 +158,7 @@ class _Unquoter:
if to_add is None: # pragma: no cover
raise RuntimeError("Cannot quote None")
ret.append(to_add)
- elif unquoted in self._unsafe:
+ elif unquoted in self._unsafe or unquoted == "/":
to_add = self._quoter(unquoted)
if to_add is None: # pragma: no cover
raise RuntimeError("Cannot quote None")Essentially, we shouldn't unquote |
https://datatracker.ietf.org/doc/html/rfc3986#section-2.4
I read that as the URL needs to be separated by delimiters before its decoded |
Hmm, I'm not sure how best to accommodate that... |
|
https://www.w3.org/Addressing/URL/4_URI_Recommentations.html
|
|
This gets messy quickly.. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 |
|
The safest course seems to never decode |
|
yarl treats but for the quoter |
|
I think making |
unsafe has a slightly different meaning, I tried that first. So, we'd probably want to add an ignore option or something separately, which would go where I hardcoded the value in the diff. |
|
Given the security implications, I suspect the change should be made regardless of backwards compatibility. |
|
Still haven't found a definitive answer on this one.....maybe we should be testing this against: https://github.com/web-platform-tests/wpt/blob/master/url/resources/percent-encoding.json |
Sounds like it could be a lot of work. Feel free to take that on, but I think this current solution is probably reasonable until that is done. |
I got a bit of a chuckle out of that. Its definitely a lot of work, and I wasn't intending for it to be done here. While I think it would be great to test long term, I was thinking we could look this specific case is handled there as a reference point. I plan on digging through it a bit more and provide some better analysis. Its Home Assistant beta week so I haven't had time to do that yet. |
for more information, see https://pre-commit.ci
|
Will test this shortly |
|
I'm hoping to find time to test this today |
|
Everything looks like its working as expected. Calling The |
Backport to 3.10: 💔 cherry-picking failed — conflicts found❌ Failed to cleanly apply 6be9452 on top of patchback/backports/3.10/6be94520ea46fe1829e6c9d986e7fc9f7db50cad/pr-8898 Backporting merged PR #8898 into master
🤖 @patchback |
Backport to 3.11: 💔 cherry-picking failed — conflicts found❌ Failed to cleanly apply 6be9452 on top of patchback/backports/3.11/6be94520ea46fe1829e6c9d986e7fc9f7db50cad/pr-8898 Backporting merged PR #8898 into master
🤖 @patchback |
Co-authored-by: J. Nick Koston <nick@koston.org> (cherry picked from commit 6be9452)
Co-authored-by: J. Nick Koston <nick@koston.org> (cherry picked from commit 6be9452)
#8898 now passes the unquoted path and we would unquote it again
#8898 now passes the unquoted path and we would unquote it again
Fixes #5621.
Fixes #6619.