Fix Utils.build_nested_query to URL-encode all query string fields#1989
Conversation
In the formatted query string, the field should be fully URL-encoded.
The previous implementation left the square brackets as un-escaped.
It was noticed that if params were provided as a nested hash it produced
a different result than a hash of string fields. For example, the params
{ 'q[s]' => 'name' }
would result in the query string:
q%5Bs%5D=name
but
{ q: { s: 'name' } }
would result in:
q[s]=name
Both forms now produce the same correct result with fully URL-encoded
params.
Member
|
I'm okay with this but it seems like a potential breaking change. |
jeremyevans
approved these changes
Dec 3, 2022
Contributor
jeremyevans
left a comment
jeremyevans
left a comment
There was a problem hiding this comment.
I agree that this could potentially be breaking, but RFC 3986 is clear that [ and ] are reserved characters and should be percent encoded. So I think we should merge this.
ioquatix
pushed a commit
that referenced
this pull request
Dec 5, 2022
…1989) In the formatted query string, the field should be fully URL-encoded. The previous implementation left the square brackets as un-escaped. It was noticed that if params were provided as a nested hash it produced a different result than a hash of string fields. For example, the params { 'q[s]' => 'name' } would result in the query string: q%5Bs%5D=name but { q: { s: 'name' } } would result in: q[s]=name Both forms now produce the same correct result with fully URL-encoded params.
Contributor
|
Yeah, sadly it has broken tests of my Rack-based framework unclear and non-expected, just by some patch-version release. |
AlexWayfer
added a commit
to AlexWayfer/flame
that referenced
this pull request
Dec 22, 2022
Member
|
IIUC, one way to avoid this problem in your test is to avoid asserting the encoded representation and actually parse the URL and extract the query parameters. This should work regardless of the encoding and is probably a more robust test in general. |
tenderlove
added a commit
that referenced
this pull request
Jan 17, 2023
* 3-0-sec: (24 commits) bump version Update changelog Fix ReDoS vulnerability in multipart parser Fix ReDoS in Rack::Utils.get_byte_ranges Forbid control characters in attributes Bump patch version. `Rack::Request#POST` should consistently raise errors. (#2010) Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH (#2007) Rack::MethodOverride handle QueryParser::ParamsTooDeepError (#2006) Bump patch version. Fix Regexp deprecated third argument with Regexp::NOENCODING (#1998) Update tests to work on latest Rubies. (#1999) Bump patch version. Allow passing through streaming bodies. (#1993) Remove unnecessary executable bit from test files (#1992) Fix Utils.build_nested_query to URL-encode all query string fields (#1989) Trim trailing white space throughout the project (#1990) Fix some typos (#1991) Remove leading dot to fix compatibility with latest cgi gem. (#1988) Fix outdated Rack::Builder rdocs and remove Lobster references (#1986) ...
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Feb 9, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to sinatra/sinatra
that referenced
this pull request
Feb 13, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Feb 24, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Mar 4, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Mar 5, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
Contributor
I can agree. I've checked the tests again. It's simple tests for Maybe I should add |
Member
I think this is probably the correct approach. |
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Apr 11, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
May 15, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
May 16, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Aug 7, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
geoffharcourt
pushed a commit
to commonlit/sinatra
that referenced
this pull request
Nov 6, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Dec 23, 2023
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Jan 2, 2024
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
dentarg
added a commit
to dentarg/sinatra
that referenced
this pull request
Jan 5, 2024
The behaviour changed in Rack 3 with - rack/rack#1989 - rack/rack@ab1f1c1
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In the formatted query string, the field should be fully URL-encoded. The previous implementation left the square brackets as un-escaped.
It was noticed that if params were provided as a nested hash it produced a different result than a hash of string fields. For example, the params
would result in the query string:
but
would result in:
Both forms now produce the same correct result with fully URL-encoded params.