[erlang-questions] [BUG] in inets/http_uri.erl

Gleb Peregud gleber.p@REDACTED
Tue Aug 26 23:54:49 CEST 2008 

According to RFC.

   An HTTP URL takes the form:
      http://<host>:<port>/<path>?<searchpart>
   ...
   Within the <path> and <searchpart> components, "/", ";", "?" are
   reserved.

and

   Octets must be encoded if they have no corresponding graphic
   character within the US-ASCII coded character set, if the use of the
   corresponding character is unsafe, or if the corresponding character
   is reserved for some other interpretation within the particular URL
   scheme.

This means that this URL is definitely incorrect. The "/" in
<searchpart> are not encoded. And there is no "/" separating <host>
and <path>. If the latter is corrected http_uri will work as expected:

3> http_uri:parse("http://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress&AWSAccessKeyId=XXX&CidrIp=0.0.0.0/6&FromPort=0&GroupName=test&IpProtocol=tcp&SignatureVersion=1&Timestamp=2008-08-26T19:41:13&ToPort=65535&Version=2007-08-29&Signature=ClTihgpBO3%2BsMIlEDRem9AcZ6%2F0%3D").
{http,[],"ec2.amazonaws.com",80,"/",
      "?Action=AuthorizeSecurityGroupIngress&AWSAccessKeyId=XXX&CidrIp=0.0.0.0/6&FromPort=0&GroupName=test&IpProtocol=tcp&SignatureVersion=1&Timestamp=2008-08-26T19:41:13&ToPort=65535&Version=2007-08-29&Signature=ClTihgpBO3%2BsMIlEDRem9AcZ6%2F0%3D"}

Are you able to correct these URIs/URLs in your system (by adding
separating "/" beetween <host> and <path>)? If yes, your problem is
solved

BR

On Tue, Aug 26, 2008 at 11:41 PM, karol skocik <karol.skocik@REDACTED> wrote:
>
> Well, ok, I am no URI expert. They might be correct, but the fact is
> that python http client can work with them and do ec2
> AuthorizeSecurityGroupIngress requests, and they unfortunately have
> '/' as a part of the parameter value. The question is, what to do
> about that. Erlang already has an HTTPOption 'relaxed' in
> http:request. This case might be a good candidate for inclusion in the
> bag along with other irregularities allowed with 'relaxed' option.
>
> Cheers,
>  Karol
>
> On Tue, Aug 26, 2008 at 11:23 PM, Gleb Peregud <gleber.p@REDACTED> wrote:
> > On Tue, Aug 26, 2008 at 11:10 PM, karol skocik <karol.skocik@REDACTED>
> > wrote:
> >>
> >> Hi,
> >>  there is a bug in inets/http_uri.erl in function parse_uri_rest,
> >> which first looks for '/' and then for '?' to get hostname and query
> >> params.
> >> This is not very good since some requests can have '/' after '?',
> >> which messes up the hostname.
> >> Example:
> >>
> >> (netskin@REDACTED)15>
> >>
> >> http_uri:parse("http://ec2.amazonaws.com?Action=DescribeInstances&AWSAccessKeyId=XXX&SignatureVersion=1&Timestamp=2008-08-26T20:22:24&Version=2007-08-29&Signature=z%2FVynmrFTFe4dHtJlsPifSRtTLw%3D").
> >> {http,[],"ec2.amazonaws.com",80,"/",
> >>
> >>  "?Action=DescribeInstances&AWSAccessKeyId=XXX&SignatureVersion=1&Timestamp=2008-08-26T20:22:24&Version=2007-08-29&Signature=z%2FVynmrFTFe4dHtJlsPifSRtTLw%3D"}
> >>
> >> which is ok, hostname is "ec2.amazonaws.com", but now:
> >>
> >> (netskin@REDACTED)29>
> >>
> >> http_uri:parse("http://ec2.amazonaws.com?Action=AuthorizeSecurityGroupIngress&AWSAccessKeyId=XXX&CidrIp=0.0.0.0/6&FromPort=0&GroupName=test&IpProtocol=tcp&SignatureVersion=1&Timestamp=2008-08-26T19:41:13&ToPort=65535&Version=2007-08-29&Signature=ClTihgpBO3%2BsMIlEDRem9AcZ6%2F0%3D").
> >> {http,[],
> >>
> >>  "ec2.amazonaws.com?Action=AuthorizeSecurityGroupIngress&AWSAccessKeyId=XXX&CidrIp=0.0.0.0",
> >>      80,
> >>
> >>  "/6&FromPort=0&GroupName=test&IpProtocol=tcp&SignatureVersion=1&Timestamp=2008-08-26T19:41:13&ToPort=65535&Version=2007-08-29&Signature=ClTihgpBO3%2BsMIlEDRem9AcZ6%2F0%3D",
> >>      []}
> >>
> >> here, parameter CidrIp=0.0.0.0/6 denotes ip range you want to allow
> >> access to, with '/'. This results to {error, nxdomain} from
> >> http:request.
> >>
> >> Karol
> >> _______________________________________________
> >> erlang-questions mailing list
> >> erlang-questions@REDACTED
> >> http://www.erlang.org/mailman/listinfo/erlang-questions
> >
> > According to RFC [1] these URLs are incorrect. Hostname and url-path have to
> > be separated with "/". Hence there is no bug here
> >
> > 1: http://www.ietf.org/rfc/rfc1738.txt
> >
> > P.S. Karol, sorry for previous incomplete mail, I've hit "Send" by
> > mistake...
> >
> > --
> > Gleb Peregud
> > http://gleber.pl/
> >
> > Every minute is to be grasped.
> > Time waits for nobody.
> > -- Inscription on a Zen Gong
> >



--
Gleb Peregud
http://gleber.pl/

Every minute is to be grasped.
Time waits for nobody.
-- Inscription on a Zen Gong

More information about the erlang-questions mailing list