Zuri may be vulnerable to parser differential attacks
jedisct1 opened this issue · comments
https://1.1.1.1&@2.2.2.2%23@3.3.3.3
should be parsed as follows:
(using Node here, but all browsers behave the same)
new URL("https://1.1.1.1&@2.2.2.2%23@3.3.3.3/")
href: 'https://1.1.1.1&%402.2.2.2%23@3.3.3.3/',
origin: 'https://3.3.3.3',
protocol: 'https:',
username: '1.1.1.1&%402.2.2.2%23',
password: '',
host: '3.3.3.3',
hostname: '3.3.3.3',
port: '',
pathname: '/',
search: '',
searchParams: URLSearchParams {},
hash: ''
However, zuri
parses the hostname as 2.2.2.2%23@3.3.3.3
.
5a6671c should fix this but there are probably still some other cases that are parsed wrong.
Yes, it looks good! 👍
URL parsing is tricky, but you did an awesome job with zuri
!