Merge pull request #39 from henrikblomkvist/master

weavejester · web-flow · commit 84a7f6f8d117 · 2023-02-01T16:36:28.000Z
Ensure only hexadecimal percent codes are decoded
diff --git a/src/ring/util/codec.clj b/src/ring/util/codec.clj
@@ -56,7 +56,7 @@
    (percent-decode encoded "UTF-8"))
   ([^String encoded ^String encoding]
    (str/replace encoded
-                #"(?:%[A-Za-z0-9]{2})+"
+                #"(?:%[A-Fa-f0-9]{2})+"
                 (fn [chars]
                   (-> (parse-bytes chars)
                       (String. encoding)
diff --git a/test/ring/util/test/codec.clj b/test/ring/util/test/codec.clj
@@ -9,7 +9,7 @@
   (is (= (percent-encode "foo") "%66%6F%6F")))
 
 (deftest test-percent-decode
-  (is (= (percent-decode "%s/") "%s/"))
+  (is (= (percent-decode "%s4/") "%s4/"))
   (is (= (percent-decode "%20") " "))
   (is (= (percent-decode "foo%20bar") "foo bar"))
   (is (= (percent-decode "foo%FE%FF%00%2Fbar" "UTF-16") "foo/bar"))
