@Gary Steve's assertion is correct, we only generate ascii urls, nonascii urls coming in (*excluding the query params*) are definitely made up and can just 404.
For query params, the params have to be ascii (urls are a subset of ascii) but we may want to % decode and then utf8 decode to support searching for folk with internationalised names.
If I were hacking on this I would fix by checking for ascii in the non-query part of the path before doing any traversal.
@Gary Steve's assertion is correct, we only generate ascii urls, nonascii urls coming in (*excluding the query params*) are definitely made up and can just 404.
For query params, the params have to be ascii (urls are a subset of ascii) but we may want to % decode and then utf8 decode to support searching for folk with internationalised names.
If I were hacking on this I would fix by checking for ascii in the non-query part of the path before doing any traversal.