Page MenuHomePhabricator
Differential D17647

Reject ambiguous URIs with unescaped "#" or "?" in username/password parts
ClosedPublic
Actions

Authored by epriestley on Apr 10 2017, 4:54 PM.
Tags
None
Referenced Files
F15579302: D17647.id42441.diff
Tue, May 6, 11:19 PM
F15561126: D17647.id42442.diff
Tue, Apr 29, 6:14 PM
F15553215: D17647.id42442.diff
Mon, Apr 28, 12:40 AM
F15540219: D17647.diff
Fri, Apr 25, 6:48 AM
F15536449: D17647.diff
Thu, Apr 24, 9:48 AM
F15535916: D17647.id42441.diff
Thu, Apr 24, 7:37 AM
F15535848: D17647.id42441.diff
Thu, Apr 24, 7:08 AM
F15527818: D17647.diff
Tue, Apr 22, 6:44 AM
View All Files
Subscribers
None

Details

Reviewers
chad
Maniphest Tasks
T12526: parse_url() behavior has changed with PHP7, causing libphutil unit tests to fail and possibly creating security concerns
Commits
rPHUfb9e0642c4ea: Reject ambiguous URIs with unescaped "#" or "?" in username/password parts
Summary

Fixes T12526. These URIs are ambiguous and nonstandard, and different versions of different clients parse them differently.

Instead of trying to get this right across PHP versions, just reject these outright. No normal user will ever expect these to work.

Test Plan

Ran unit tests in PHP 7.1, got clean results. See T12526 for more discussion.

Diff Detail

Repository
rPHU libphutil
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
parser/
10 lines
__tests__/
43 lines

Diff 42442

View Options

src/parser/PhutilURI.php

Loading...
View Options

src/parser/__tests__/PhutilURITestCase.php

Loading...
Phabricator · Built by Phacility