Page MenuHomePhabricator

Reject ambiguous URIs with unescaped "#" or "?" in username/password parts
ClosedPublic

Authored by epriestley on Apr 10 2017, 4:54 PM.
Tags
None
Referenced Files
F13353484: D17647.id42442.diff
Sun, Jun 23, 9:26 PM
F13331193: D17647.id42442.diff
Mon, Jun 17, 5:42 AM
F13330591: D17647.diff
Mon, Jun 17, 4:12 AM
F13316781: D17647.diff
Thu, Jun 13, 8:34 AM
F13314364: D17647.diff
Tue, Jun 11, 7:08 PM
F13262041: D17647.diff
Mon, May 27, 1:43 AM
F13233564: D17647.id42442.diff
May 21 2024, 2:24 AM
F13217481: D17647.id42441.diff
May 18 2024, 5:41 AM
Subscribers
None

Details

Summary

Fixes T12526. These URIs are ambiguous and nonstandard, and different versions of different clients parse them differently.

Instead of trying to get this right across PHP versions, just reject these outright. No normal user will ever expect these to work.

Test Plan

Ran unit tests in PHP 7.1, got clean results. See T12526 for more discussion.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable