Reject ambiguous URIs with unescaped "#" or "?" in username/password parts
ClosedPublic
Actions

Authored by epriestley on Apr 10 2017, 4:54 PM.

Details

Reviewers

Maniphest Tasks

T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns

Commits

rPHUfb9e0642c4ea: Reject ambiguous URIs with unescaped "#" or "?" in username/password parts

Summary

Fixes T12526. These URIs are ambiguous and nonstandard, and different versions of different clients parse them differently.

Instead of trying to get this right across PHP versions, just reject these outright. No normal user will ever expect these to work.

Test Plan

Ran unit tests in PHP 7.1, got clean results. See T12526 for more discussion.

Diff Detail

Repository

rPHU libphutil

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

epriestley created this revision.Apr 10 2017, 4:54 PM

Harbormaster completed remote builds in B16370: Diff 42441.Apr 10 2017, 4:54 PM

chad accepted this revision.Apr 10 2017, 5:28 PM

This revision is now accepted and ready to land.Apr 10 2017, 5:28 PM

Closed by commit rPHUfb9e0642c4ea: Reject ambiguous URIs with unescaped "#" or "?" in username/password parts (authored by epriestley). · Explain WhyApr 10 2017, 5:34 PM

This revision was automatically updated to reflect the committed changes.

jbeck mentioned this in T12796: Ambiguous URL rejection broke existing remarkup blocks with: [[ <ambigous URI> ... ]] .Jun 5 2017, 6:00 AM

epriestley mentioned this in D18076: Don't fatal when encountering [[ <bad URI > | ... ]].Jun 5 2017, 12:48 PM

epriestley mentioned this in rPHU74a1350416eb: Don't fatal when encountering [[ <bad URI > | ... ]].Jun 5 2017, 4:41 PM

epriestley mentioned this in rPHU13662252b754: (stable) Don't fatal when encountering [[ <bad URI > | ... ]].

Revision Contents
Changeset List

Path

Size

src/

parser/

PhutilURI.php

10 lines

__tests__/

PhutilURITestCase.php

43 lines

Diff 42442

View Options

src/parser/PhutilURI.php

View Options

src/parser/tests/PhutilURITestCase.php

Reject ambiguous URIs with unescaped "#" or "?" in username/password partsClosedPublicActions