[whatwg/url] "Let ipv4Host be the result of IPv4 parsing asci..." (#367) from cpacejo on 2018-01-17 (public-webapps-github@w3.org from January 2018)

From: cpacejo <notifications@github.com>
Date: Tue, 16 Jan 2018 21:49:31 -0800
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/367@github.com>

https://url.spec.whatwg.org/commit-snapshots/5fc4c4c17f3077beda5e3647df73f4b1b0ba7084/#host-parsing

> Let ipv4Host be the result of IPv4 parsing asciiDomain\.

This algorithm differs in a dangerous way from that in RFC 3986, in that it percent-decodes the host *before* determining if it is an IPv4 literal.  RFC 3986 dictates that percent-decoding must not occur until AFTER the host has been parsed.  So by RFC 3986, a percent-encoded IPv4 literal is to be treated as a "regname".

This means that a RFC 3986 WAF would pass such percent-encoded literals, which a WHATWG-URL application would then interpret as an IPv4 address.

The algorithm should be changed to match the behavior of RFC 3986, or (better yet) to explicitly disallow hosts which are valid IPv4 addresses after percent-decoding.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/367

Received on Wednesday, 17 January 2018 05:50:01 UTC