From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-Status: No, score=-3.1 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FORGED_GMAIL_RCVD,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 213281F5AE for ; Sat, 18 Jul 2020 03:26:30 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 10AEF12097E; Sat, 18 Jul 2020 12:26:00 +0900 (JST) Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id CD07A120977 for ; Sat, 18 Jul 2020 12:25:57 +0900 (JST) Received: by filterdrecv-p3iad2-5b55dcd864-ljl6m with SMTP id filterdrecv-p3iad2-5b55dcd864-ljl6m-19-5F126BE0-20 2020-07-18 03:26:24.494441064 +0000 UTC m=+1851419.872428965 Received: from herokuapp.com (unknown) by ismtpd0015p1iad1.sendgrid.net (SG) with ESMTP id j8E6IeCrTDeJEM1vDycXIA for ; Sat, 18 Jul 2020 03:26:24.324 +0000 (UTC) Date: Sat, 18 Jul 2020 03:26:24 +0000 (UTC) From: nilesh.tr@gmail.com Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 75002 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Bug X-Redmine-Issue-Id: 17029 X-Redmine-Issue-Author: nileshtr X-Redmine-Sender: nileshtr X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?5iOs2EFL6=2F2d=2FEhF68KspJwWA+Neyb+ql84hig5PcO7eT5g5QVfg=2FRZ3PnNRP8?= =?us-ascii?Q?MtXLUdrzyGPDA+sd7XCG46nF8v0a2wkoIjq+Nl6?= =?us-ascii?Q?t5YfC9oEmS4WZNI0pHcfsbx=2FzWqwDnHIla=2FcHbs?= =?us-ascii?Q?6B+3ky0dNbm7vS4EDBXa=2FCnW182gcJX3Pt2vKJA?= =?us-ascii?Q?2n50=2F=2FVQNUhVrIULDVFcVgbX7fXTsXwubI5BDM1?= =?us-ascii?Q?CWMh0+p9uJmmBFe4o=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 99213 Subject: [ruby-core:99213] [Ruby master Bug#17029] URI.parse considers https://example.com/### invalid when browsers consider it valid X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #17029 has been updated by nileshtr (Nilesh Trivedi). I filed an issue at the uri library's Github repo: https://github.com/ruby/uri/issues/8 ---------------------------------------- Bug #17029: URI.parse considers https://example.com/### invalid when browsers consider it valid https://bugs.ruby-lang.org/issues/17029#change-86593 * Author: nileshtr (Nilesh Trivedi) * Status: Open * Priority: Normal * ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-darwin19] * Backport: 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN ---------------------------------------- I have a form with `` and in the backend, I try to extract the domain with `URI.parse(url).host` A user was able to submit a value like `https://example.com/###` which passed the browser's validation check, but failed by `URI.parse` with this error: ``` 3: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/common.rb:234:in `parse' 2: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:73:in `parse' 1: from /Users/helix/.rbenv/versions/2.7.1/lib/ruby/2.7.0/uri/rfc3986_parser.rb:67:in `split' URI::InvalidURIError (bad URI(is not URI?): "https://example.com/###") ``` You can try the browser's behavior at MDN's demo: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/url This is what the MDN page says about validation: The syntax of a URL is fairly intricate. It's defined by WHATWG's URL Living Standard ( https://url.spec.whatwg.org/ ) and is described for newcomers in our article What is a URL? ( https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL ) -- https://bugs.ruby-lang.org/