Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URL with multiple "@" parsed incorrectly #5

Closed
wkcaj opened this issue May 20, 2014 · 4 comments
Closed

URL with multiple "@" parsed incorrectly #5

wkcaj opened this issue May 20, 2014 · 4 comments
Assignees
@wkcaj
Labels
bug

Comments

@wkcaj
Copy link
Owner

wkcaj commented May 20, 2014

Raised by @shDaniell.

A url such as http://user:pass@safecurl.fin1te.net?@google.com/ is parsed incorrectly.

The parse_url function in PHP sees the host as google.com, which is validated. However, cURL uses safecurl.fin1te.net, thus bypassing the checks.

A fix to disable URL credentials will be added to mitigate, until proper URL parsing can be implemented.
@wkcaj wkcaj added the bug label May 20, 2014
@wkcaj wkcaj self-assigned this May 20, 2014
wkcaj pushed a commit that referenced this issue May 20, 2014
Issue #5: Adding option to disable credentials
f1be4e3
@wkcaj
Copy link
Owner Author

wkcaj commented May 20, 2014

Fixed

@wkcaj wkcaj closed this as completed May 20, 2014
@wkcaj wkcaj reopened this May 21, 2014
@wkcaj
Copy link
Owner Author

wkcaj commented May 21, 2014

Another bypass with this technique was found: http://validurl.com#user:pass@safecurl.fin1te.net

The temporary fix of disabling credentials has now been turned off (but the option is still there), since it was ineffective in some cases.

The permanent fix is to URL encode (with rawurlencode) the user, pass and fragment parts of the URL.

Another option would be to remove the fragment all together (since it won't be sent to the server), but there maybe instances of a developer just using the Url class to validate URLs, and not actually executing them with cURL.

@wkcaj wkcaj closed this as completed May 21, 2014
@wkcaj wkcaj reopened this May 21, 2014
@wkcaj
Copy link
Owner Author

wkcaj commented May 22, 2014

And another bypass: http://google.com?user:pass@safecurl.fin1te.net

The path and query string will also be URL encoded. The query string however will need the following not URL encoded, else it won't be parsed properly by the receiving server:

& = ; [ ]

wkcaj pushed a commit that referenced this issue May 22, 2014
Issue #5: Real fix - encoding URL parts
a7c3d70
@wkcaj
Copy link
Owner Author

wkcaj commented May 22, 2014

Fixed in a7c3d70

@wkcaj wkcaj closed this as completed May 22, 2014
j0k3r referenced this issue in j0k3r/safecurl Oct 1, 2015
@j0k3r
Revert "Issue #5: Real fix - encoding URL parts"
0812ff9 
This commit breaks an app and then always return a 404.

This reverts commit a7c3d70.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wkcaj wkcaj

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@wkcaj