[squid-dev] Percent-encoded URLs
Amos Jeffries
squid3 at treenet.co.nz
Sun Mar 11 06:51:46 UTC 2018
On 11/03/18 11:36, Eduard Bagdasaryan wrote:
> Hi Squid developers,
>
>
> I need your competent help with the following issue.
>
> While working on some public key generation issues I noticed that Squid
> does not decode percent-encoded URLs (at least before creating public
> keys). While trying to understand whether it is correct, I
> searched RFC7230 family for proxy-related MUST requirements but
> unfortunately did not find them. Another RFC3986 p. 6.2.2.2. describes
> 'percent-encoding normalization' of unreserved characters, but this is
> not a 'MUST' requirement. So, at first glance, Squid does not violate
> RFCs in this case. However, the fact that two equivalent URLs (with and
> w/o percent encoding) are treated differently may cause some
> confusion: for example, a 'DELETE' for such equivalent URL would fail.
>
> So my questions are:
>
> * are there any percent-encoding requirements for proxies?
>
AFAIK there are none specific to proxies. The client and server
requirements should be used on the relevant received or sent URLs.
IMO the decode should be done in URL::parse() method, and a re-encode
should be done in the getter methods as relevant for each URL section
(they are different, based on the different invalid-char sets).
FYI: When attempting to do that I was overridden by the QA requirement
that URLs "must not be changed" by Squid. The natural side effect is the
caching problem you describe, along with a DoS vulnerability which
apparently nobody in the "real world" cares about.
> * does Squid violate them?
>
Squid complies with RFC 1738 (not RFC 3986) currently.
Cheers
Amos
More information about the squid-dev
mailing list