Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

uri: restrict setting protocol to file scheme #1832

Closed
wants to merge 2 commits into from
Closed

uri: restrict setting protocol to file scheme #1832

wants to merge 2 commits into from

Conversation

watilde
Copy link

@watilde watilde commented Mar 8, 2018

As file URLs cannot have username/password/port, we should not keep them when scheme is changed to file.

Refs: whatwg/url#259

@watilde
uri: restrict setting protocol to file scheme
e916d00 
As file URLs cannot have username/password/port,
we should not keep them when scheme is changed to file.

Refs: whatwg/url#259
@paddor
Copy link

paddor commented Mar 8, 2018

Isn’t this dangerous? Allowing from another scheme to file:// and keeping the path? IMO this should fail with a SecurityError.

What’s the use case?

@watilde
Copy link
Author

watilde commented Mar 8, 2018

@paddor That's the current behaviour as you can try and this patch doesn't touch it.

url = URI.parse('http://user:pass@example.com')
url.scheme = 'file'
puts url.to_s
# => file://user:pass@example.com

File URL can not have username, password and port, and this patch is just about how we handle it. It is possible to raise an error when arg_check = true at _check methods, but this change might be the smallest impact.

@paddor
Copy link

paddor commented Mar 9, 2018

I'm just wondering, what's the use case? With or without this patch, setting the scheme to file while keeping the path seems dangerous to me.

@watilde
Copy link
Author

watilde commented Mar 9, 2018

For example, it can use the path as file names when caching contents. If we specify the base URL, it is not dangerous so far. I'm also interested in discussing how the path should be handled between http and file, but I think it should happen at whatwg/url instead since this behaviour is what is assumed by the spec.

@watilde
Copy link
Author

watilde commented Mar 9, 2018
edited

// We might also be possible to open a new issue for it on the tracker :)

@paddor
Copy link

paddor commented Mar 9, 2018

This seems much safer and intuitive to me (path sanitizing not included):

[1] pry(main)> http_uri = URI 'http://example.com:8080/path/to/file.pdf'
=> #<URI::HTTP http://example.com:8080/path/to/file.pdf>
[2] pry(main)> file_uri = URI "file://#{http_uri.path}"
=> #<URI::Generic file:///path/to/file.pdf>

I do think it's dangerous, because the path could contain ../../ and cause your cache to serve some other, possibly sensitive file, if you don't properly sanitize the path of the HTTP URI.

@watilde
Copy link
Author

watilde commented Mar 9, 2018
edited

In my understanding, that ../../ will be ignored if it's trying to go to the shallower directory than the base path, so it will not be that critical imo.

e.g.

new URL('http://example.com/../../../foo/bar')
// => http://example.com/foo/bar

Either way, that seems reasonable to ask at the specification repository about what properties the parser should keep when the scheme is changed between file and http. I'm also curious what @nurse think on this since he seems to work hard on the parser of URI.

@paddor
Copy link

paddor commented Mar 9, 2018

It doesn't seem that way:

[1] pry(main)> URI 'http://example.com/../../../foo/bar'
=> #<URI::HTTP http://example.com/../../../foo/bar>

@watilde
Copy link
Author

watilde commented Mar 9, 2018

Wow really... Then I agree with you. Not a critical in a real world because of fewer use cases, but might not make sense to keep the path when the scheme is updated to file from http/https if we do not manage the relative path that can be shallower than the base path.

@watilde watilde mentioned this pull request Mar 13, 2018
Closed
matzbot pushed a commit that referenced this pull request Mar 15, 2018
@nurse
Introduce URI::File to handle file URI scheme
04883f1 
* the default value of URI::File's authority is "" (localhost).
  Both nil and "localhost" is normalized to "" by default.
* URI::File ignores setting userinfo and port
[Feature #14035]
fix #1719
fic #1832

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62767 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
hsbt pushed a commit to ruby/uri that referenced this pull request Aug 6, 2019
@nurse
Introduce URI::File to handle file URI scheme
77561ad 
* the default value of URI::File's authority is "" (localhost).
  Both nil and "localhost" is normalized to "" by default.
* URI::File ignores setting userinfo and port
[Feature #14035]
fix ruby/ruby#1719
fic ruby/ruby#1832

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62767 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
@k0kubun k0kubun changed the base branch from trunk to master August 15, 2019 17:34
@k0kubun
Copy link
Member

k0kubun commented Aug 17, 2019

Hmm, 04883f1 says it fixes this but it failed due to typo. Let me close this.

@k0kubun k0kubun closed this Aug 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
3 participants
@watilde @paddor @k0kubun