💾 Archived View for gopher.zcrayfish.soy › 1 › phlog › 20240209-hurls-come-back-to-bite captured on 2024-08-18 at 17:29:45. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-07-09)

➡️ Next capture (2024-08-25)

🚧 View Differences

-=-=-=-=-=-=-

----------------------------------------
hURLs come back to bite.
February 09th, 2024
----------------------------------------

I have recently noticed on literally every gopher server which I have
looked at does some funky stuff with HTML/XML/XHTML page which they
generate for hURL support... I expect to be able to write a URL raw into
a gophermap and have it just work, but, in practice, there are some
major issues...

Take this working example URL that contains the quotation mark character
(tabs have been replaced with pipes):
h|Amazing URL yay|URL:https://radar.zcrayfish.soy/"uhoh".html|
gopher.zcrayfish.soy|70

The problem, the quotation mark character destroys the anchor on the
generated page... Now, RFC1738 says "All unsafe characters must always
be encoded within a URL", and it specifically includes the quotation
mark character as an example of one which is sometimes unsafe.

Alternatively, for folks not seeking compliance with the URL RFCs, HTML
entities can be used for the reserved characters which are causing
issues.

In addition to breaking some legitimate URLs, this is a security issue
which allows arbitrary code insertion, including XSS attacks. For POC
point curl against any gopher server with a hURL and just add the
following to the end of your URL:
"><script%20type="text/javascript">alert("I%20am%20an%20alert%20box!");
</script>

For the servers that generate the hURL page in HTML, anyone who tries to
render it with javascript enabled is absolutely going to get a popup.

The good news: When a gopher server serves the hURL page as XML+XHTML
Strict, browsers that render the page as XML might not run the
javascript because the XML is malformed. So yeah, fuck using HTML 3.2
for that page.
----------------------------------------

Back to phlog index

gopher.zcrayfish.soy gopher root

364 folks realized that hURL reinventing the wheel over type w was a very
bad idea.

Comments are enabled for this post, select here to leave yours

Comments have been left on this post:

This is fixed in geomyidae.
Posted Sat Feb 10 11:36:08 UTC 2024 by p508932fb.dip0.t-ipconnect.de.
------------------------------------------------------------------------
The security side of this is fixed in the most recent versions of
bucktooth and geomyidae. Breaking change though because folks who were
using the reserved characters in their gophermap hURL entries will have
to change them somehow.  Not a hypothetical.
Posted Tue Feb 20 15:19:27 UTC 2024 by zcrayfish
------------------------------------------------------------------------