Bug Fix: Align URIBuilder encoding with RFC 3986

Previously, URIBuilder relied on partial or inconsistent character sets for
various components, causing valid sub-delims or other characters to be
unnecessarily percent-encoded or left unencoded in the fragment, query, userinfo,
reg-name, and path segments. This patch introduces dedicated BitSets for each
URI component (userinfo, host/reg-name, path segments, query, and fragment)
and updates URIBuilder to use them. As a result, characters like ':', '@', '/',
and '?' remain unencoded in the fragment and query where allowed by RFC 3986,
while certain sub-delimiters in the path and host are now percent-encoded for
strictness. This ensures consistent, RFC 3986–compliant encoding across all
URI components.

Author: Arturo Bernal

httpcore5/src/main/java/org/apache/hc/core5/net/PercentCodec.java

@@ -84,6 +84,16 @@ public class PercentCodec {
         URIC.or(UNRESERVED);
     }
 
+    static final BitSet FRAGMENT_SAFE = new BitSet(256);
+    static {
+        FRAGMENT_SAFE.or(UNRESERVED);
+        FRAGMENT_SAFE.or(SUB_DELIMS);
+        FRAGMENT_SAFE.set(':');
+        FRAGMENT_SAFE.set('@');
+        FRAGMENT_SAFE.set('/');
+        FRAGMENT_SAFE.set('?');
+    }
+
     static final BitSet RFC5987_UNRESERVED = new BitSet(256);
 
     static {
@@ -113,6 +123,37 @@ public class PercentCodec {
         RFC5987_UNRESERVED.set('~');
     }
 
+    static final BitSet PCHAR = new BitSet(256);
+    static final BitSet USERINFO = new BitSet(256);
+    static final BitSet REG_NAME = new BitSet(256);
+    static final BitSet PATH_SEGMENT = new BitSet(256);
+    static final BitSet QUERY = new BitSet(256);
+    static final BitSet FRAGMENT = new BitSet(256);
+
+    static {
+        PCHAR.or(UNRESERVED);
+        PCHAR.or(SUB_DELIMS);
+        PCHAR.set(':');
+        PCHAR.set('@');
+        USERINFO.or(UNRESERVED);
+        USERINFO.or(SUB_DELIMS);
+        USERINFO.set(':');
+        REG_NAME.or(UNRESERVED);
+        REG_NAME.or(SUB_DELIMS);
+        REG_NAME.clear('!');
+        PATH_SEGMENT.or(PCHAR);
+        QUERY.or(PCHAR);
+        QUERY.set('/');
+        QUERY.set('?');
+        FRAGMENT.or(PCHAR);
+        FRAGMENT.set('/');
+        FRAGMENT.set('?');
+        // Some sub-delims remain encoded (RFC 3986 allows them unencoded, but we choose to be strict).
+        PATH_SEGMENT.clear('(');
+        PATH_SEGMENT.clear(')');
+        PATH_SEGMENT.clear('&');
+    }
+
     private static final int RADIX = 16;
 
     static void encode(final StringBuilder buf, final CharSequence content, final Charset charset,

httpcore5/src/main/java/org/apache/hc/core5/net/URIBuilder.java

@@ -306,7 +306,7 @@ static void formatPath(final StringBuilder buf, final Iterable<String> segments,
             if (i > 0 || !rootless) {
                 buf.append(PATH_SEPARATOR);
             }
-            PercentCodec.encode(buf, segment, charset);
+            PercentCodec.encode(buf, segment, charset, PercentCodec.PATH_SEGMENT, false);
             i++;
         }
     }
@@ -356,18 +356,18 @@ private String buildString() {
                 } else if (this.userInfo != null) {
                     final int idx = this.userInfo.indexOf(':');
                     if (idx != -1) {
-                        PercentCodec.encode(sb, this.userInfo.substring(0, idx), this.charset);
+                        PercentCodec.encode(sb, this.userInfo.substring(0, idx), this.charset, PercentCodec.USERINFO, false);
                         sb.append(':');
-                        PercentCodec.encode(sb, this.userInfo.substring(idx + 1), this.charset);
+                        PercentCodec.encode(sb, this.userInfo.substring(idx + 1), this.charset, PercentCodec.USERINFO, false);
                     } else {
-                        PercentCodec.encode(sb, this.userInfo, this.charset);
+                        PercentCodec.encode(sb, this.userInfo, this.charset, PercentCodec.USERINFO, false);
                     }
                     sb.append("@");
                 }
                 if (InetAddressUtils.isIPv6(this.host)) {
                     sb.append("[").append(this.host).append("]");
                 } else {
-                    PercentCodec.encode(sb, this.host, this.charset);
+                    PercentCodec.encode(sb, this.host, this.charset, PercentCodec.REG_NAME, false);
                 }
                 if (this.port >= 0) {
                     sb.append(":").append(this.port);
@@ -391,14 +391,14 @@ private String buildString() {
                 formatQuery(sb, this.queryParams, this.charset, false);
             } else if (this.query != null) {
                 sb.append("?");
-                PercentCodec.encode(sb, this.query, this.charset, PercentCodec.URIC, false);
+                PercentCodec.encode(sb, this.query, this.charset, PercentCodec.QUERY, false);
             }
         }
         if (this.encodedFragment != null) {
             sb.append("#").append(this.encodedFragment);
         } else if (this.fragment != null) {
             sb.append("#");
-            PercentCodec.encode(sb, this.fragment, this.charset, PercentCodec.URIC, false);
+            PercentCodec.encode(sb, this.fragment, this.charset, PercentCodec.FRAGMENT, false);
         }
         return sb.toString();
     }

httpcore5/src/test/java/org/apache/hc/core5/net/TestURIBuilder.java

@@ -997,4 +997,33 @@ void testSetPlusAsBlank() throws Exception {
         params = uriBuilder.getQueryParams();
         Assertions.assertEquals("hello world", params.get(0).getValue());
     }
+
+    @Test
+    void testFragmentEncoding() throws Exception {
+        final String fragment = "frag ment:!@/?\"";
+        final String expectedEncodedFragment = "frag%20ment:!@/?%22";
+
+        final URI uri = new URIBuilder()
+                .setScheme("http")
+                .setHost("example.com")
+                .setFragment(fragment)
+                .build();
+
+        Assertions.assertEquals(expectedEncodedFragment, uri.getRawFragment());
+    }
+
+    @Test
+    void testCustomQueryEncoding() throws Exception {
+        final String query = "query param:!@/?\"";
+        final String expectedEncodedQuery = "query%20param:!@/?%22";
+
+        final URI uri = new URIBuilder()
+                .setScheme("http")
+                .setHost("example.com")
+                .setCustomQuery(query)
+                .build();
+
+        Assertions.assertEquals(expectedEncodedQuery, uri.getRawQuery());
+    }
+
 }