-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hyper and Rocket disagreeing on validity of URL #2733
Comments
It's definitely not a valid URL. Those curly braces should be percent-encoded, and hyper should be rejecting. This doesn't appear to be an exception, like curly braces in queries, where browsers allow them even though they don't conform to the spec: Chrome, Firefox, and Safari all percent-encode curly braces in paths. This one is a bit concerning because I'll raise an issue with hyper, though other such issue have not had much luck. |
Reported at hyperium/hyper#3594. Thank you for bringing this up. |
No problem! It's odd that they would allow this.
That seems like a terrible hack and it should not be supported by anyone. |
Rocket Version
0.5.0
Operating System
Fedora 39
Rust Toolchain Version
rustc 1.72.0-nightly (6162f6f12 2023-07-01)
What happened?
When firing a request to a non-existent URL with the string literal "http://localhost:8000/artists/{id}" (or any URL containing curly braces) rocket returns a 404 as expected with the following warning:
I am not sure whether this does actually imply any security problems or not, I'm just here to report my find as instructed.
Test Case
Log Output
Additional Context
No response
System Checks
rustc
toolchain.The text was updated successfully, but these errors were encountered: