Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Path escape if template parameter in path segment #30

Closed
mgiuca opened this issue Dec 7, 2017 · 0 comments
Closed

Path escape if template parameter in path segment #30

mgiuca opened this issue Dec 7, 2017 · 0 comments

Comments

@mgiuca
Copy link
Collaborator

mgiuca commented Dec 7, 2017

Consider a manifest with:

"share_target": {
  "url_template": "/foo/{text}"
}

If the third-party app supplies text "..", it would allow the sharer to path-escape and direct the user to URLs that the share target never intended.

It's not clear how to resolve this; escaping '.' to "%2e" doesn't help because the URL Standard explicitly says that "%2e%2e" also means parent directory.

The easiest solution is to simply prevent placeholders from appearing before the '?' (so they have to be in the query or fragment). This is a bit restrictive but may be the only reliable method. Perhaps a more targeted solution is to say that it's illegal to have a placeholder in a path segment by itself, so you could have "/foo-{text}" but not "/{text}".

Related to #25, because if we banned placeholders in the path, we could reliably resolve the URL template at parse time.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mgiuca