'::' in url result in broken uri object
Closed this issue · 5 comments
cppnet-lib 0.11.0-rc1 downloaded from website.
This code
uri::uri uri("http:://google.com"); //note double : in the url
assert(uri.port_range().empty());
result in a uri object with broken hierarchical part. some of internal uri_parts iterator ranges pointing to random memory areas.
This problem could be critical for security sensitive applications because probably opens remote code execution vulnerabilities if application read url from outside.
Thanks for the report. This is an invalid URL and should result in an error. Would you be able to test if this is fixed in the uri subproject?
it works ok with source from master. I noticed API changed a lot in favor of using boost::optional. I like it :)
The only thing which looks suspicious is path() accessor, which returns "://google.com". I think in this case parsing should result in error, but not in a uri having incorrect path. But i might be wrong, maybe URI spec allow this kind of uri's.
Scanning RFC 3986, I actually believe this conforms to a valid URL:
scheme ":" hier-part [ "?" query ] [ "#" fragment ]
hier-part = "//" authority path-abempty
/ path-absolute
/ path-rootless
/ path-empty
The colon is interpreted as the first part of a path-rootless and therefore the behaviour you describe is correct. Therefore, I don't believe it's strictly an error.
You are correct. Second ':' represent first segment in a path-rootless production, next '//' represent and empty segment and so on.
I do not know enough Boost.Spirit to fix this issue. Do you plan to fix it in cppnet-lib 0.11 or I should wait for 0.12 or 1.0 whenever comes first?
I don't think this issue will be fixed in 0.11, as that release will be made later this week. There will be no 0.12 so you ought to wait for 1.0.