uri: fix the query attribute parsing

The pin-* attributes belong to the query part. We should not parse them
until we see a '?' and they're separated with a '&'.

This might be an important thing -- some of the query attributes may
have security implications reaching outside scope of the token itself, to the
host system itself. E.g. a pin-source may cause the consumer to access a file
or module-path (unimplemented) execute code. The user may want to just chop the
attribute part off if they want the consumer access the token and not take the
security considerations into account.

0 files changed, 0 insertions, 0 deletions