Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mojo::URL accepts invalid schemes #1540

Open
karenetheridge opened this issue Jul 20, 2020 · 8 comments
Open

Mojo::URL accepts invalid schemes #1540

karenetheridge opened this issue Jul 20, 2020 · 8 comments
Labels
feature request needs feedback

Comments

@karenetheridge
Copy link
Contributor

  • Mojolicious version: 8.57

Steps to reproduce the behavior

Mojo::URL->new("bar,baz:foo")

Expected behavior

An error in parse, or construction of an empty object, because "bar,baz" is not a valid scheme.

https://tools.ietf.org/html/rfc3986#section-3.1 provides the grammar: scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." ).

Actual behavior

The above code constructs a uri object with scheme "bar,baz" and path "foo".

If this is accepted as a valid issue I can provide a pull request.
@karenetheridge karenetheridge changed the title Mojo::URL accepts invalid schemes without error Mojo::URL accepts invalid schemes Jul 20, 2020
@karenetheridge
Copy link
Contributor Author

Since the regex used in parse() is based on the "non-validating regular expression" in https://tools.ietf.org/html/rfc3986#appendix-B, I wonder if it might make sense to add a parallel strict parsing method that did validate, or alternately have a validate method that applied the grammars in https://tools.ietf.org/html/rfc3986#appendix-A (of which more components than just scheme have tighter constraints than are currently reflected by the regex in parse()).

@karenetheridge karenetheridge mentioned this issue Jul 20, 2020
Open
@stale
Copy link

stale bot commented Aug 31, 2020

This issue has been automatically marked as stale because it has not had recent activity. It may be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Aug 31, 2020
@karenetheridge
Copy link
Contributor Author

I plan to look at this in the next month, tentatively with a new is_valid method added to Mojo::URL. Please advise on any interface suggestions.

@stale stale bot removed the stale label Aug 31, 2020
@stale
Copy link

stale bot commented Sep 30, 2020

This issue has been automatically marked as stale because it has not had recent activity. It may be closed if no further activity occurs. This is not a judgment on the merits of the issue, but an indication that more information may be needed to determine the appropriate course of action, if any. Thank you for your contributions.

@stale stale bot added the stale label Sep 30, 2020
@karenetheridge
Copy link
Contributor Author

karenetheridge commented Sep 30, 2020
edited
Loading

I hope to look at this soon, by adding a method (validate()? is_valid()?) to Mojo::URL to check each component, including scheme, for validity against the spec.

@stale stale bot removed stale labels Sep 30, 2020
@stale
Copy link

stale bot commented Oct 30, 2020

This issue has been automatically marked as stale because it has not had recent activity. It may be closed if no further activity occurs. This is not a judgment on the merits of the issue, but an indication that more information may be needed to determine the appropriate course of action, if any. Thank you for your contributions.

@stale stale bot added the stale label Oct 30, 2020
@karenetheridge
Copy link
Contributor Author

ok bot, I haven't forgotten

@stale stale bot removed the stale label Oct 30, 2020
@karenetheridge
Copy link
Contributor Author

There's some good info (and test cases) here:
https://claroty.com/wp-content/uploads/2022/01/Exploiting-URL-Parsing-Confusion.pdf
https://www.grc.com/sn/SN-853-Notes.pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request needs feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kraih @karenetheridge