[jira] [Commented] (HTTPCORE-778) URIBuilder uses incorrect encoding method for URI fragment

Tue, 11 Mar 2025 12:15:08 -0700 


    [ 
https://issues.apache.org/jira/browse/HTTPCORE-778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17934319#comment-17934319
 ] 

Oleg Kalnichevski commented on HTTPCORE-778:
--------------------------------------------

> However, there are cases which require some of those characters to not be 
> encoded (OAuth's 'fragment' response type, for example, but there are more).

[~peterhalicky] In those case request consumers fail to conform to the section 
6 of RFC 3986 (Normalization and Comparison). You should take the problem up 
with the developers / maintainers of those systems

> However, older version of httpclient (4.x) uses URIC set of safe characters 
> (i.e. non-encoded), which makes it a regression.

No, it is not. Versions of HttpClient older than 5.1 conform to RFC RFC2396 not 
RFC 3986.

> URIBuilder is taking the choice away and just encodes everything.

You are welcome to change this ticket to a feature request. Otherwise I will 
have to close it as INVALID.

Oleg

> URIBuilder uses incorrect encoding method for URI fragment
> ----------------------------------------------------------
>
>                 Key: HTTPCORE-778
>                 URL: https://issues.apache.org/jira/browse/HTTPCORE-778
>             Project: HttpComponents HttpCore
>          Issue Type: Bug
>          Components: HttpCore
>    Affects Versions: 5.3.3
>            Reporter: Peter Halicky
>            Priority: Major
>
> URI fragment is encoded in URIBuilder using:
> {code:java}
> PercentCodec.encode(sb, this.fragment, this.charset); {code}
> (line 401, end of buildString method)
> This encodes all characters except UNRESERVED using the percent-format.
> As per (obsoleted) RFC2396, URI fragment should use URIC safe-chars.
> As per RFC3986, quite a bit more characters should not be encoded:
> {code:java}
> pct-encoded   = "%" HEXDIG HEXDIG
> unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
> sub-delims    = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / 
> "="
> pchar         = unreserved / pct-encoded / sub-delims / ":" / "@"
> fragment    = *( pchar / "/" / "?" ) {code}
> Note that URIBuilder in httpclient 4.5.13 conforms to at least the old 
> RFC2396, as it uses URIC set of safe characters (i.e. this is in fact a 
> regression).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to