-
-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not decode %2F in path #14
Conversation
I think both #4 and this PR are not right. You want to match against the decoded URI, except for the path delimiters (but just because the router has no capability to represent a non-path delimiting slash, but that's okay). A route In particular, quoting the very section you're linking:
Put it another way: a route should be canonical after splitting by delimiters and percent decoding. Very roughly, pseudo-code:
I think the proper implementation would be replacing any |
Any iterative approach to path matching is pretty much a non-starter. That's why fast-route, etc. exist. Perhaps instead we need to simply not decode EDIT: @bwoebi I see you suggested essentially the same thing in your edit. 😄 |
@trowski Yeah, replacing by And yeah, for sure, we can't do an iterative approach for performance, it was just pseudocode :-) |
@bwoebi Implemented with a simple call to |
You should do another str_replace after matching on the actual matches if the str_ireplace changed the string size of $path. |
Good call. Updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks right to me now :-)
The approach is still flawed, because %252F in the original URL is now decoded to / instead of %2F. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See comment about design flaw.
I couldn't sleep so tried an idea of double-encoding any existing Perhaps then we do need to go back to my original proposal to not decode before path matching. Unfortunately that would be a BC break, requiring a new major. Luckily that's not really a problem for this library if it's necessary. |
Closing in favor of #15, as I think any string manipulation we attempt to do before matching is going to have potential collisions with the contents of the path before that manipulation. |
This reverts #4. I believe https://datatracker.ietf.org/doc/html/rfc3986.html#section-2.4 was mis-interpreted. We should not be decoding the path until after matching, otherwise "/" is interpreted as separating path segments.
See https://chat.stackoverflow.com/transcript/message/57474623#57474623.