URL with multiple "@" parsed incorrectly
wkcaj opened this issue · 4 comments
Raised by @shDaniell.
A url such as http://user:pass@safecurl.fin1te.net?@google.com/
is parsed incorrectly.
The parse_url
function in PHP sees the host as google.com
, which is validated. However, cURL uses safecurl.fin1te.net
, thus bypassing the checks.
A fix to disable URL credentials will be added to mitigate, until proper URL parsing can be implemented.
Fixed
Another bypass with this technique was found: http://validurl.com#user:pass@safecurl.fin1te.net
The temporary fix of disabling credentials has now been turned off (but the option is still there), since it was ineffective in some cases.
The permanent fix is to URL encode (with rawurlencode
) the user, pass and fragment parts of the URL.
Another option would be to remove the fragment all together (since it won't be sent to the server), but there maybe instances of a developer just using the Url
class to validate URLs, and not actually executing them with cURL.
And another bypass: http://google.com?user:pass@safecurl.fin1te.net
The path and query string will also be URL encoded. The query string however will need the following not URL encoded, else it won't be parsed properly by the receiving server:
& = ; [ ]