evhttp_encode_uri encodes all reserved characters, including !$'()*+,/:=@

Perviously, some characters not listed as "unreserved" by RFC 3986 (notably "!$'()*+,/:=@") were not encoded by evhttp_encode_uri. This made trouble, especially when encoding path components (where @ and / are bad news) and parameters (where + should get encoded so it doesn't later decode into a space). Spotted by Bas Verhoeven.
2025-01-31 09:12:55 +08:00 · 2010-10-08 12:57:11 -04:00 · 2010-10-08 12:57:11 -04:00 · 2e63a604da
commit 2e63a604da
parent 3b84489385
2 changed files with 13 additions and 9 deletions
--- a/http.c
+++ b/http.c
@ -2295,12 +2295,13 @@ evhttp_send_page(struct evhttp_request *req, struct evbuffer *databuf)
 }

 static const char uri_chars[256] = {
+	/* 0 */
 	0, 0, 0, 0, 0, 0, 0, 0,   0, 0, 0, 0, 0, 0, 0, 0,
 	0, 0, 0, 0, 0, 0, 0, 0,   0, 0, 0, 0, 0, 0, 0, 0,
-	0, 1, 0, 0, 1, 0, 0, 1,   1, 1, 1, 1, 1, 1, 1, 1,
-	1, 1, 1, 1, 1, 1, 1, 1,   1, 1, 1, 0, 0, 1, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0,   0, 0, 0, 0, 0, 1, 1, 0,
+	1, 1, 1, 1, 1, 1, 1, 1,   1, 1, 0, 0, 0, 0, 0, 0,
 	/* 64 */
-	1, 1, 1, 1, 1, 1, 1, 1,   1, 1, 1, 1, 1, 1, 1, 1,
+	0, 1, 1, 1, 1, 1, 1, 1,   1, 1, 1, 1, 1, 1, 1, 1,
 	1, 1, 1, 1, 1, 1, 1, 1,   1, 1, 1, 0, 0, 0, 0, 1,
 	0, 1, 1, 1, 1, 1, 1, 1,   1, 1, 1, 1, 1, 1, 1, 1,
 	1, 1, 1, 1, 1, 1, 1, 1,   1, 1, 1, 0, 0, 0, 1, 0,
@ -2317,7 +2318,7 @@ static const char uri_chars[256] = {
 };

 /*
- * Helper functions to encode/decode a URI.
+ * Helper functions to encode/decode a string for inclusion in a URI.
 * The returned string must be freed by the caller.
 */
 char *
--- a/include/event2/http.h
+++ b/include/event2/http.h
@ -506,14 +506,17 @@ void evhttp_clear_headers(struct evkeyvalq *headers);


 /**
-  Helper function to encode a URI.
+   Helper function to encode a string for inclusion in a URI.  All
+   characters are replaced by their hex-escaped (%00) equivalents,
+   except for characters explicitly unreserved by RFC3986 -- that is,
+   ASCII alphanumeric characters, hyphen, dot, underscore, and tilde.

-  The returned string must be freed by the caller.
+   The returned string must be freed by the caller.

-  @param uri an unencoded URI
-  @return a newly allocated URI-encoded string or NULL on failure
+   @param str an unencoded string
+   @return a newly allocated URI-encoded string or NULL on failure
 */
-char *evhttp_encode_uri(const char *uri);
+char *evhttp_encode_uri(const char *str);


 /**