Enforce normalization rules during signing #55
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AkshatM
force-pushed
the
fix_normalization
branch
2 times, most recently
from
6d92740 to
a19f9c3
Compare
For the authority, path, and scheme components, RFC 9421 requires that > Characters other than those in the "reserved" set are equivalent to > their percent-encoded octets: the normal form is to not encode them. This implies that we need to ensure we perform percent decoding to arrive at the normal form, ensuring that percent-encoded URLs and their non-encoded forms are treated as equivalent.
AkshatM
force-pushed
the
fix_normalization
branch
from
a19f9c3 to
adf181c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For the authority, path, and scheme components, RFC 9421 (by citing Section 4.3.2 of RFC 3968) requires that
This implies that we need to ensure we perform percent decoding to arrive at the normal form, ensuring that percent-encoded URLs and their non-encoded forms are treated as equivalent.
This change adds the necessary requirements and supplies a test for the same.
Note
I'm actually not entirely sure if we must do percent-decoding - I'm discussing this privately with @thibmeu . In the event we discover that percent-decoding is not required, we should still enforce hostname and scheme lowercasing as well as treating an empty path string correctly during signing, which this PR introduces for sure.