Page MenuHomePhabricator
Files F14444062

D12155.id29227.diff
No OneTemporary
Actions

D12155.id29227.diff
View Options

diff --git a/src/parser/__tests__/PhutilURITestCase.php b/src/parser/__tests__/PhutilURITestCase.php
--- a/src/parser/__tests__/PhutilURITestCase.php
+++ b/src/parser/__tests__/PhutilURITestCase.php
@@ -61,6 +61,32 @@
$this->assertEqual('@', $uri->getUser());
$this->assertEqual('@', $uri->getPass());
$this->assertEqual('http://%40:%40@domain.com/', (string)$uri);
+
+ // These tests are covering cases where cURL and parse_url() behavior
+ // may differ in potentially dangerous ways. See T6755 for discussion.
+
+ // In general, we defuse these attacks by emitting URIs which escape
+ // special characters so that they are interpreted unambiguously by
+ // cURL in the same way that parse_url() interpreted them.
+
+ $uri = new PhutilURI('http://u:p@evil.com?@good.com');
+ $this->assertEqual('u', $uri->getUser());
+ $this->assertEqual('p', $uri->getPass());
+ $this->assertEqual('evil.com', $uri->getDomain());
+ $this->assertEqual('http://u:p@evil.com?%40good.com=', (string)$uri);
+
+ $uri = new PhutilURI('http://good.com#u:p@evil.com/');
+ $this->assertEqual('good.com#u', $uri->getUser());
+ $this->assertEqual('p', $uri->getPass());
+ $this->assertEqual('evil.com', $uri->getDomain());
+ $this->assertEqual('http://good.com%23u:p@evil.com/', (string)$uri);
+
+ $uri = new PhutilURI('http://good.com?u:p@evil.com/');
+ $this->assertEqual('', $uri->getUser());
+ $this->assertEqual('', $uri->getPass());
+ $this->assertEqual('good.com', $uri->getDomain());
+ $this->assertEqual('http://good.com?u%3Ap%40evil.com%2F=', (string)$uri);
+
}
public function testURIGeneration() {

File Metadata

Mime Type
text/plain
Expires
Fri, Dec 27, 11:02 AM (9 h, 4 m)
Storage Engine
blob
Storage Format
Encrypted (AES-256-CBC)
Storage Handle
6931650
Default Alt Text
D12155.id29227.diff (1 KB)

Event Timeline

Phabricator · Built by Phacility