New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dot-related inconsistencies in url.absolute() #1129

Closed
nnposter opened this Issue Feb 4, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@nnposter

nnposter commented Feb 4, 2018

NSE function url.absolute() is not always returning results according to RFC 3986 when . or .. are involved.

  • One prominent category of cases is when .. exceeds the path depth
  • Terminal . and .. are treated differently when they are followed by / or not
  • Normalization does not happen if the second argument is already absolute
  • A few bugs

Here are the test suite results:

arg1      arg2      output    RFC
"a"       "."       "."       ""
"a"       "./"      ""        ""
".."      "b"       "b"       "b"
"../"     "b"       "../b"    "b"
"/"       ".."      ""        "/"
"/"       "../"     ""        "/"
"/../"    ".."      ".."      "/"
"/../"    "../"     "../"     "/"
"a/.."    "b"       "a/b"     "b"
"a/../"   "b"       "b"       "b"
"/a/.."   ""        "/a/"     "/"
""        "/a/.."   "/a/.."   "/"

I do have code that faithfully follows the RFC but the impact of this change is hard to gauge. In particular it could cause problems in contexts where the function is used to join two relative paths because the function would remove excessive .., possibly prematurely.

Please comment whether it is worth implementing this fix or whether we should add url.absolute2() for the correct behavior.

@cldrn

This comment has been minimized.

Member

cldrn commented Feb 21, 2018

Hey,

I think we should stick to the RFC. There shouldn't be a lot of scripts affected by this and if they are, we can easily fix them and at the end we will be RFC compliant.

@nmap-bot nmap-bot closed this in 4303c2f Feb 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment