Re: [whatwg/url] Unicode normalization could change the structure of a URL (#626) from Anne van Kesteren on 2021-08-04 (public-webapps-github@w3.org from August 2021)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 04 Aug 2021 07:30:05 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/626/892707809@github.com>

So OAuth2 accepts a URL string with Unicode in it and then:

1. Parses that URL string into a URL for its own purposes. (And it might terminate here if the URL is not adequate for some reason.)
2. Sends back that URL string for another consumer, but now NFKC/D normalized?

How is that not a bug in OAuth2?

You cannot apply Unicode normalization to all inputs, certainly not URL strings. They should only go into the URL parser.

I could see trying to disallow `＃` and similar code points, but pipelines that do this kind of (bogus) normalization on URL strings would still be susceptible to attacks, depending on when they perform the (bogus) normalization.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/626#issuecomment-892707809

Received on Wednesday, 4 August 2021 14:30:18 UTC