@@ -13,7 +13,7 @@ REBOL [
1313 See: http://www.apache.org/licenses/LICENSE-2.0
1414 }
1515 Version: 0.5.4
16- Date: 12 -Jul-2024
16+ Date: 15 -Jul-2024
1717 File: %prot-http.r3
1818 Purpose: {
1919 This program defines the HTTP protocol scheme for REBOL 3.
@@ -41,6 +41,7 @@ REBOL [
4141 0.5.1 12-Jun-2023 "Oldes" "FEAT: anonymize authentication tokens in log"
4242 0.5.2 22-Jul-2023 "Oldes" "FEAT: support for optional Brotli encoding"
4343 0.5.3 11-Jul-2024 "Oldes" "FIX: redirection with a missing slash in the location field"
44+ 0.5.4 15-Jul-2024 "Oldes" "FIX: HTTP query validated when building a request"
4445 ]
4546]
4647
@@ -253,6 +254,22 @@ throw-http-error: func [
253254 ][ do error ]
254255]
255256
257+ escape-query: function/with [
258+ ;; "Escapes all chars which are not allowed in the HTTP query part (if not yet escaped)"
259+ query [any-string! ]
260+ ][
261+ parse query [some [
262+ some allowed
263+ | #"%" 2 numeric ;; already escaped
264+ | change #" " #"+"
265+ | change set c: skip (ajoin [#"%" enbase to binary! c 16 ])
266+ ]]
267+ query
268+ ][
269+ numeric: system/catalog/bitsets/numeric
270+ allowed: charset [#"a" -#"z" #"A" -#"Z" #"0" -#"9" "-~!@*/|\;,._()[]{}+=?~" ]
271+ ]
272+
256273make-http-request : func [
257274 "Create an HTTP request (returns binary!)"
258275 spec [block! object! ] "Request specification from an opened port"
@@ -270,7 +287,7 @@ make-http-request: func [
270287 mold as url! :path ;; `mold as url!` is used because it produces correct escaping
271288 ]
272289 if :target [append request mold as url! :target ]
273- if :query [append append request #"?" :query ]
290+ if :query [append append request #"?" escape-query :query ]
274291
275292 append request " HTTP/1.1^M^/ "
276293
0 commit comments