RetroBBS - comp.infosystems.gemini

URL Parsers

<srmreb$f6r$1@gioia.aioe.org>

https://www.rocksolidbbs.com/devel/article-flat.php?id=50&group=comp.infosystems.gemini#50

copy link Newsgroups: comp.infosystems.gemini

Path: i2pn2.org!i2pn.org!aioe.org!C0OfJOqtjXYj+ZtCCKLgqA.user.46.165.242.75.POSTED!not-for-mail
From: james@tomasino.org (James Tomasino)
Newsgroups: comp.infosystems.gemini
Subject: URL Parsers
Date: Wed, 12 Jan 2022 15:17:30 +0000
Organization: Aioe.org NNTP Server
Message-ID: <srmreb$f6r$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Injection-Info: gioia.aioe.org; logging-data="15579"; posting-host="C0OfJOqtjXYj+ZtCCKLgqA.user.gioia.aioe.org"; mail-complaints-to="abuse@aioe.org";
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.14.0
X-Notice: Filtered by postfilter v. 0.9.2
X-Mozilla-News-Host: snews://nntp.aioe.org:563
Content-Language: en-US

by: James Tomasino - Wed, 12 Jan 2022 15:17 UTC

We've had some (*cough*) discussion on the complexities
of URLs in the past on the mailing list. Daniel of curl
fame just wrote an excellent post about the topic and
the dangers of using different parsers or parsing
algorithms.

https://daniel.haxx.se/blog/2022/01/10/dont-mix-url-parsers/

Note: the link to the report is currently a broken URL.
the correct link seems to be:
https://mysecuritymarketplace.com/mp-files/exploiting-url-parsers-the-good-bad-and-inconsistent.pdf/

It's easy to include URLs in Gemini (or URIs or IRIs or
whatever variant we want to rant about) without careful
consideration to what they really represent. Beyond a
simple content address, they offer all sorts of crazy
behaviors on the fringes.

It's worth a read, if only for the library
vulnerabilities. Maybe it can help mitigate some issues
for server authors.

- tomasino

Chemist who falls in acid will be tripping for weeks.

devel / comp.infosystems.gemini / URL Parsers