Rocket: Matching Url-Escaped Routes

Created on 8 Jan 2019  路  3Comments  路  Source: SergioBenitez/Rocket

Rocket version: 0.4
OS: Macos/Ubuntu 14

Some clients url escape before calling a url, but the rocket matcher does not cover these.
E.g. for the url /$world, some clients will create /%24world.
As far as I could tell %24world is also explicitly disallowed, so there is no way to match the route.

#![feature(proc_macro_hygiene, decl_macro)]
#[macro_use] extern crate rocket;

#[get("/$world")]
fn world() -> &'static str {
    "Hello, $world!"
}

fn main() {
    rocket::ignite().mount("/", routes![world]).launch();
}

Behaviour in express.js and Spring

I checked the behaviour in express.js and Spring. The machers there cover both routes /$world and /%24world.

var express = require('express');
var app = express();

app.get('/\\$world', function (req, res) {
  res.send('Hello $World!');
});
app.listen(3000, function () {
  console.log('Example app listening on port 3000!');
});
request
Source
picture PSeitz
1

All 3 comments

Rocket should percent decode either during all URI parsing or during route comparison, both of which are very tricky to do correctly. Doing it during parsing would likely also mean changing the Origin URI retrieved via request guard, but I suspect most routes that do care about the request URI would prefer the decoded form.

jebrosen picture jebrosen on 9 Jan 2019
🎉1

We could also decode the url if there is a % char in it and then start with the matching. This should work if we internally store only the original route.

PSeitz picture PSeitz on 9 Jan 2019
👍1

Let's work on this in #998.

SergioBenitez picture SergioBenitez on 17 May 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Hokutosei picture Hokutosei  路  4Comments
shssoichiro picture shssoichiro  路  4Comments
ndarilek picture ndarilek  路  3Comments
lucklove picture lucklove  路  4Comments
klnusbaum picture klnusbaum  路  4Comments