💾 Archived View for gemini.bunburya.eu › newsgroups › gemini › messages › srmreb$f6r$1@gioia.aioe.or… captured on 2023-04-26 at 14:04:08. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

-=-=-=-=-=-=-

URL Parsers

Message headers

From: James Tomasino <james@tomasino.org>

Subject: URL Parsers

Date: Wed, 12 Jan 2022 15:17:30 +0000

Message-ID: <srmreb$f6r$1@gioia.aioe.org>

Message content

We've had some (*cough*) discussion on the complexities

of URLs in the past on the mailing list. Daniel of curl

fame just wrote an excellent post about the topic and

the dangers of using different parsers or parsing

algorithms.

https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/

Note: the link to the report is currently a broken URL.

the correct link seems to be:

https://mysecuritymarketplace.com/mp-files/exploiting-url-parsers-the-good-bad-and-inconsistent.pdf/

It's easy to include URLs in Gemini (or URIs or IRIs or

whatever variant we want to rant about) without careful

consideration to what they really represent. Beyond a

simple content address, they offer all sorts of crazy

behaviors on the fringes.

It's worth a read, if only for the library

vulnerabilities. Maybe it can help mitigate some issues

for server authors.

- tomasino

Related

No related messages found.