URL with multiple "@" parsed incorrectly

Question

URL with multiple "@" parsed incorrectly

wkcaj opened this issue 10 years ago · 4 comments

Raised by @shDaniell.

A url such as http://user:pass@safecurl.fin1te.net?@google.com/ is parsed incorrectly.

The parse_url function in PHP sees the host as google.com, which is validated. However, cURL uses safecurl.fin1te.net, thus bypassing the checks.

A fix to disable URL credentials will be added to mitigate, until proper URL parsing can be implemented.

wkcaj commented 10 years ago

Fixed

Answer 1 · 2014-05-21T22:50:22.000Z

Another bypass with this technique was found: http://validurl.com#user:pass@safecurl.fin1te.net

The temporary fix of disabling credentials has now been turned off (but the option is still there), since it was ineffective in some cases.

The permanent fix is to URL encode (with rawurlencode) the user, pass and fragment parts of the URL.

Another option would be to remove the fragment all together (since it won't be sent to the server), but there maybe instances of a developer just using the Url class to validate URLs, and not actually executing them with cURL.

Answer 2 · 2014-05-22T14:18:29.000Z

And another bypass: http://google.com?user:pass@safecurl.fin1te.net

The path and query string will also be URL encoded. The query string however will need the following not URL encoded, else it won't be parsed properly by the receiving server:

& = ; [ ]

Answer 3 · 2014-05-22T14:29:52.000Z

Fixed in a7c3d70