-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect validation of version encoding #57
Comments
Hi, I observed the same behaviour which seems to be regression with the newest released version (1.2.1). When using version 1.2.0 I get the following: The behaviour of version 1.2.0 is the one I expected |
They should both be valid.
Be careful with version numbers that contain |
We had a few external contributions around this issue that seem to have created more problems. My bad for not looking deeper at the contributions/test additions and taking them at face value. I will take a look at this later tonight and hopefully have a fix. |
* remove unneed exception raising for the version param * do not skip URL encoding `:` and `+` characters * add test cases from old issues refs: #45, #46, #57 Signed-off-by: Steven Esser <[email protected]>
#61 with the fix for this. |
Hm, in the purl specification it says for the version |
When the spec says the version must be percent-encoded, it means that the version must be decoded on read and encoded on write, using the characters described in the encoding section. |
Sorry for the late response but I don't get why Maybe I miss something. Would be great if you could shed some light here. |
Reserved characters are not the characters that are supposed to be encoded. Wikipedia isn't really the best source, but it says "Other characters in a URI must be percent-encoded." and "When a character from the reserved set (a "reserved character") has a special meaning (a "reserved purpose") in a certain context, and a URI scheme says that it is necessary to use that character for some other purpose, then the character must be percent-encoded." This is not the case here. |
Fixed in master branch (both |
After parsing the version number out of a PURL string, packageurl-js validates that the version number was encoded exactly the way that packageurl-js would have encoded it. This seems like an extra thing that packageurl-js does, undirected by the spec. Even if the spec did say to validate that the version number was percent encoded, that doesn't actually mean anything because technically any ASCII string that doesn't contain '%' is a valid percent encoded string by definition.
This is problematic because different PURL implementations encode different sets of characters. If a version number contains a character that one PURL implementation unnecessary escapes and packageurl-js does not, or vice versa, packageurl-js will correctly parse the version number and then throw an exception because the encoding validation failed. For example, packageurl-js will fail to decode this valid PURL produced by packageurl-java:
pkg:t/n@1%3A2
.The text was updated successfully, but these errors were encountered: