forked from loafle/openapi-generator-original
4e9d226443
`URI.encode` is obsolete. `CGI.escape`, `URI.encode_www_form` or `URI.encode_www_form_component` are recommended instead. https://ruby-doc.org/stdlib-2.6/libdoc/uri/rdoc/URI/Escape.html#method-i-escape URI.encode has different behaviour to CGI.escape: ```ruby URI.encode('hello/world?test%string') => "hello/world?test%25string" CGI.escape('hello/world?test%string') => "hello%2Fworld%3Ftest%25string" ``` I recently raised pull request #3039201cbdce29That pull request escapes path items at insertion. Before either pull request, the path item 'hello?world' would go into the URL as 'hello?world'. That behaviour was insecure as if an attacker could control the path item value, they could change the URL the application connected to. After #3039 'hello?world' would go in as 'hello%253Fworld'. This was safer than before, but it's still not correct. If I'd realised at the time, I would have made it correct at the time. What this pull request does is make it go in as 'hello%35world', which is correct. ApiClient::build_request_url was URI.encoding the whole path. This wasn't protecting against all undesirable characters in the path items, but was escaping % characters a 2nd time which was unhelpful. I have additionally removed URI.encode from Configuration::base_url as I can't see any benefit it could be bringing. There is no justification for it in the commit where it was originally added:47c8597d36