Zuri may be vulnerable to parser differential attacks

Question

Zuri may be vulnerable to parser differential attacks

jedisct1 opened this issue 3 years ago · comments

https://1.1.1.1&@2.2.2.2%23@3.3.3.3 should be parsed as follows:

(using Node here, but all browsers behave the same)

new URL("https://1.1.1.1&@2.2.2.2%23@3.3.3.3/")

href: 'https://1.1.1.1&%402.2.2.2%23@3.3.3.3/',
origin: 'https://3.3.3.3',
protocol: 'https:',
username: '1.1.1.1&%402.2.2.2%23',
password: '',
host: '3.3.3.3',
hostname: '3.3.3.3',
port: '',
pathname: '/',
search: '',
searchParams: URLSearchParams {},
hash: ''

However, zuri parses the hostname as 2.2.2.2%23@3.3.3.3.

Veikka Tuominen · Answer 1 · Sat Mar 06 2021 17:06:44 GMT+0800 (China Standard Time)

5a6671c should fix this but there are probably still some other cases that are parsed wrong.

Frank Denis · Answer 2 · Sat Mar 06 2021 21:37:35 GMT+0800 (China Standard Time)

Yes, it looks good! 👍

URL parsing is tricky, but you did an awesome job with zuri!