On Thu, Oct 7, 2010 at 1:12 AM, Nick Mathewson <ni...@freehaven.net> wrote: > On Fri, Sep 24, 2010 at 4:21 PM, Bas Verhoeven <libev...@bserved.nl> wrote:
> But what if somebody is saying something iffy like > asprintf(&query1, "q1=%s", v1); > asprintf(&query2, "q2=%s", v2); > encoded1 = evhttp_encode_uri(query1); > encoded2 = evhttp_encode_uri(query2); > asprintf(&url, "http://example.com?%s&%s";, encoded1, encoded2); > ? > > If they were relying on the previous broken behavior of > evhttp_encode_uri(), changing it to do the right thing will break > them. Of course, their code is already broken if they were relying on > evhttp_encode_uri() actually encoding + characters reliably, so > they're not in good shape either way. > > I've looked through the first few pages of google codesearch results > for evhttp_encode_uri, and not found anything that suggests someone is > doing this broken-but-almost-working thing. > > So, time to go ahead and make this change? The affected characters > are "!$'()*+,/:=@" > Almost. But keep in mind, that the value (the key as well actually) should be encoded seperately, not as a single unit. In your above example, the = should get encoded and not exactly as you thought. So if the data you are encoding happens to be "a=b+c", what would you get if you encoded it along with the "q1=" part? If you encode "q1=a=b+c" you should end up with "q1%3Da%3Db%2Bc" which is not what you want. You want to encode the "a=b+c" part and add it to "q1=". Incidentally, if the user has any control of the key name, then you will definately want to encode the key part too. -- "Be excellent to each other" *********************************************************************** To unsubscribe, send an e-mail to majord...@freehaven.net with unsubscribe libevent-users in the body.
