From 86cf5a13939a54728b058d9d49908ae1ab2aafd6 Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 22 Jul 2017 01:10:40 +0000
Subject: [PATCH] Avoids URL/percent encoding of unreserved characters. Fixes
 #936

---
 CHANGELOG      | 4 ++++
 nselib/url.lua | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 35b084bf0..c91f2e68c 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
+  characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
+  [nnposter]
+
 o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
   connections are supported on HTTP 1.0 target (unless the target explicitly
   declares otherwise), as per RFC 7230. [nnposter]
diff --git a/nselib/url.lua b/nselib/url.lua
index 1618f7da1..09ba8d5bd 100644
--- a/nselib/url.lua
+++ b/nselib/url.lua
@@ -66,7 +66,7 @@ local segment_set = make_set {
 -- @param s Binary string to be encoded.
 -- @return Escaped representation of string.
 local function protect_segment(s)
-  return string.gsub(s, "([^A-Za-z0-9_])", function (c)
+  return string.gsub(s, "([^A-Za-z0-9_.~-])", function (c)
     if segment_set[c] then return c
     else return string.format("%%%02x", string.byte(c)) end
   end)
@@ -108,7 +108,7 @@ end
 -- @return Escaped representation of string.
 -----------------------------------------------------------------------------
 function escape(s)
-  return string.gsub(s, "([^A-Za-z0-9_])", function(c)
+  return string.gsub(s, "([^A-Za-z0-9_.~-])", function(c)
     return string.format("%%%02x", string.byte(c))
   end)
 end