Merge branch 'uri-non-utf8' into 'master'

Fix non-utf8 URI pct-decoding / unescape regression

Closes #2165

See merge request GNOME/glib!1569

fuzzing/fuzz_uri_escape.c

@@ -4,15 +4,20 @@ static void
 test_bytes (const guint8 *data,
             gsize         size)
 {
+  GError *error = NULL;
   GBytes *unescaped_bytes = NULL;
   gchar *escaped_string = NULL;
 
   if (size > G_MAXSSIZE)
     return;
 
-  unescaped_bytes = g_uri_unescape_bytes ((const gchar *) data, (gssize) size, NULL);
+  unescaped_bytes = g_uri_unescape_bytes ((const gchar *) data, (gssize) size, NULL, &error);
   if (unescaped_bytes == NULL)
-    return;
+    {
+      g_assert_nonnull (error);
+      g_clear_error (&error);
+      return;
+    }
 
   escaped_string = g_uri_escape_bytes (g_bytes_get_data (unescaped_bytes, NULL),
                                        g_bytes_get_size (unescaped_bytes),

glib/guri.c

@@ -2116,6 +2116,9 @@ g_uri_get_flags (GUri *uri)
  * want to avoid for instance having a slash being expanded in an
  * escaped path element, which might confuse pathname handling.
  *
+ * Note: `NUL` byte is not accepted in the output, in contrast to
+ * g_uri_unescape_bytes().
+ *
  * Returns: an unescaped version of @escaped_string or %NULL on error.
  * The returned string should be freed when no longer needed.  As a
  * special case if %NULL is given for @escaped_string, this function
@@ -2130,6 +2133,7 @@ g_uri_unescape_segment (const gchar *escaped_string,
 {
   gchar *unescaped;
   gsize length;
+  gssize decoded_len;
 
   if (!escaped_string)
     return NULL;
@@ -2139,14 +2143,21 @@ g_uri_unescape_segment (const gchar *escaped_string,
   else
     length = strlen (escaped_string);
 
-  if (!uri_decode (&unescaped,
-                   illegal_characters,
-                   escaped_string, length,
-                   FALSE,
-                   G_URI_FLAGS_PARSE_STRICT,
-                   0, NULL))
+  decoded_len = uri_decoder (&unescaped,
+                             illegal_characters,
+                             escaped_string, length,
+                             FALSE, FALSE,
+                             G_URI_FLAGS_PARSE_STRICT|G_URI_FLAGS_ENCODED,
+                             0, NULL);
+  if (decoded_len < 0)
     return NULL;
 
+  if (memchr (unescaped, '\0', decoded_len))
+    {
+      g_free (unescaped);
+      return NULL;
+    }
+
   return unescaped;
 }
 
@@ -2220,6 +2231,7 @@ g_uri_escape_string (const gchar *unescaped,
  *   is NUL-terminated.
  * @illegal_characters: (nullable): a string of illegal characters
  *   not to be allowed, or %NULL.
+ * @error: #GError for error reporting, or %NULL to ignore.
  *
  * Unescapes a segment of an escaped string as binary data.
  *
@@ -2232,21 +2244,23 @@ g_uri_escape_string (const gchar *unescaped,
  * want to avoid for instance having a slash being expanded in an
  * escaped path element, which might confuse pathname handling.
  *
- * Returns: (transfer full): an unescaped version of @escaped_string
- * or %NULL on error. The returned #GBytes should be unreffed when no
- * longer needed.
+ * Returns: (transfer full): an unescaped version of @escaped_string or %NULL on
+ * error (if decoding failed, using %G_URI_ERROR_MISC error code). The returned
+ * #GBytes should be unreffed when no longer needed.
  *
  * Since: 2.66
  **/
 GBytes *
 g_uri_unescape_bytes (const gchar *escaped_string,
                       gssize       length,
-                      const char *illegal_characters)
+                      const char *illegal_characters,
+                      GError     **error)
 {
   gchar *buf;
   gssize unescaped_length;
 
   g_return_val_if_fail (escaped_string != NULL, NULL);
+  g_return_val_if_fail (error == NULL || *error == NULL, NULL);
 
   if (length == -1)
     length = strlen (escaped_string);
@@ -2257,7 +2271,7 @@ g_uri_unescape_bytes (const gchar *escaped_string,
                                   FALSE,
                                   FALSE,
                                   G_URI_FLAGS_PARSE_STRICT|G_URI_FLAGS_ENCODED,
-                                  0, NULL);
+                                  G_URI_ERROR_MISC, error);
   if (unescaped_length == -1)
     return NULL;
 

glib/guri.h

@@ -358,7 +358,9 @@ char *      g_uri_escape_string    (const char *unescaped,
 GLIB_AVAILABLE_IN_2_66
 GBytes *    g_uri_unescape_bytes   (const char *escaped_string,
                                     gssize      length,
-                                    const char *illegal_characters);
+                                    const char *illegal_characters,
+                                    GError    **error);
+
 GLIB_AVAILABLE_IN_2_66
 char *      g_uri_escape_bytes     (const guchar *unescaped,
                                     gsize         length,

glib/tests/uri.c

@@ -348,6 +348,7 @@ test_uri_unescape_string (void)
       { "%0", NULL, NULL },
       { "%ra", NULL, NULL },
       { "%2r", NULL, NULL },
+      { "Timm B\344der", NULL, "Timm B\344der" },
       { NULL, NULL, NULL },  /* actually a valid test, not a delimiter */
     };
   gsize i;
@@ -367,6 +368,7 @@ test_uri_unescape_string (void)
 static void
 test_uri_unescape_bytes (gconstpointer test_data)
 {
+  GError *error = NULL;
   gboolean use_nul_terminated = GPOINTER_TO_INT (test_data);
   const struct
     {
@@ -410,14 +412,17 @@ test_uri_unescape_bytes (gconstpointer test_data)
           escaped = g_memdup (tests[i].escaped, escaped_len);
         }
 
-      bytes = g_uri_unescape_bytes (escaped, escaped_len, tests[i].illegal);
+      bytes = g_uri_unescape_bytes (escaped, escaped_len, tests[i].illegal, &error);
 
       if (tests[i].expected_unescaped_len < 0)
         {
           g_assert_null (bytes);
+          g_assert_error (error, G_URI_ERROR, G_URI_ERROR_MISC);
+          g_clear_error (&error);
         }
       else
         {
+          g_assert_no_error (error);
           g_assert_cmpmem (g_bytes_get_data (bytes, NULL),
                            g_bytes_get_size (bytes),
                            tests[i].expected_unescaped,