http: don't escape request path, reject bad chars

Commit 38149bb changes http.get() and http.request() to escape unsafe
characters. However, that creates an incompatibility with v0.10 that
is difficult to work around: if you escape the path manually, then in
v0.11 it gets escaped twice. Change lib/http.js so it no longer tries
to fix up bad request paths, simply reject them with an exception.

The actual check is rather basic right now. The full check for illegal
characters is difficult to implement efficiently because it requires a
few characters of lookahead. That's why it currently only checks for
spaces because those are guaranteed to create an invalid request.

Fixes #5474.

1 files changed, 8 insertions, 5 deletions

diff --git a/lib/http.js b/lib/http.js
index c45af98b9d..a1abd1e2e0 100644
--- a/lib/http.js
+++ b/lib/http.js
@@ -52,11 +52,14 @@ var ClientRequest = exports.ClientRequest = client.ClientRequest;
 exports.request = function(options, cb) {
   if (typeof options === 'string') {
     options = url.parse(options);
-  } else if (options && options.path) {
-    options = util._extend({}, options);
-    options.path = encodeURI(options.path);
-    // encodeURI() doesn't escape quotes while url.parse() does. Fix up.
-    options.path = options.path.replace(/'/g, '%27');
+  } else if (options && options.path && / /.test(options.path)) {
+    // The actual regex is more like /[^A-Za-z0-9\-._~!$&'()*+,;=/:@]/
+    // with an additional rule for ignoring percentage-escaped characters
+    // but that's a) hard to capture in a regular expression that performs
+    // well, and b) possibly too restrictive for real-world usage. That's
+    // why it only scans for spaces because those are guaranteed to create
+    // an invalid request.
+    throw new TypeError('Request path contains unescaped characters.');
   }
 
   if (options.protocol && options.protocol !== 'http:') {