1. do not assume that URLs will be treated the same cross user-agents.
2. do not assume that IPv4-mapped IPv6-addresses can be written in octal.
Another day. Another security report against #curl we could close.
curl disclosed on HackerOne: Incorrect Type Conversion in...
## Summary: Octal Type Handling of Errors in IPv4 Mapped IPv6 Addresses in curl allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that...HackerOne
Mae
in reply to daniel:// stenberg:// • • •> there is no single, fixed, known and established URL syntax to follow.
is rfc3986 not a full specification?
daniel:// stenberg://
in reply to Mae • • •@Mae yes, but you will not find two URL parsers that interpret it the same way or even sticks to the letter of that spec. Since the browsers took off in a different direction we can't really interop on the web if we are strict RFC3986 💔
daniel.haxx.se/docs/URL-intero…
The URL Interop Situation
daniel.haxx.seMae
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Mae • • •daniel:// stenberg://
Unknown parent • • •daniel:// stenberg://
Unknown parent • • •Richard Levitte
in reply to daniel:// stenberg:// • • •x25519
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to x25519 • • •