💾 Archived View for gopher.zcrayfish.soy › 1 › phlog › 20240209-hurls-come-back-to-bite captured on 2024-08-18 at 17:29:45. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2024-07-09)
-=-=-=-=-=-=-
---------------------------------------- hURLs come back to bite. February 09th, 2024 ---------------------------------------- I have recently noticed on literally every gopher server which I have looked at does some funky stuff with HTML/XML/XHTML page which they generate for hURL support... I expect to be able to write a URL raw into a gophermap and have it just work, but, in practice, there are some major issues... Take this working example URL that contains the quotation mark character (tabs have been replaced with pipes): h|Amazing URL yay|URL:https://radar.zcrayfish.soy/"uhoh".html| gopher.zcrayfish.soy|70 The problem, the quotation mark character destroys the anchor on the generated page... Now, RFC1738 says "All unsafe characters must always be encoded within a URL", and it specifically includes the quotation mark character as an example of one which is sometimes unsafe. Alternatively, for folks not seeking compliance with the URL RFCs, HTML entities can be used for the reserved characters which are causing issues. In addition to breaking some legitimate URLs, this is a security issue which allows arbitrary code insertion, including XSS attacks. For POC point curl against any gopher server with a hURL and just add the following to the end of your URL: "><script%20type="text/javascript">alert("I%20am%20an%20alert%20box!"); </script> For the servers that generate the hURL page in HTML, anyone who tries to render it with javascript enabled is absolutely going to get a popup. The good news: When a gopher server serves the hURL page as XML+XHTML Strict, browsers that render the page as XML might not run the javascript because the XML is malformed. So yeah, fuck using HTML 3.2 for that page. ----------------------------------------
gopher.zcrayfish.soy gopher root
364 folks realized that hURL reinventing the wheel over type w was a very bad idea.
Comments are enabled for this post, select here to leave yours
Comments have been left on this post: This is fixed in geomyidae. Posted Sat Feb 10 11:36:08 UTC 2024 by p508932fb.dip0.t-ipconnect.de. ------------------------------------------------------------------------ The security side of this is fixed in the most recent versions of bucktooth and geomyidae. Breaking change though because folks who were using the reserved characters in their gophermap hURL entries will have to change them somehow. Not a hypothetical. Posted Tue Feb 20 15:19:27 UTC 2024 by zcrayfish ------------------------------------------------------------------------