- From: Anne van Kesteren <notifications@github.com>
- Date: Sat, 03 Jan 2026 23:38:23 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Sunday, 4 January 2026 07:38:27 UTC
annevk left a comment (whatwg/url#893) I think you still have to explain the attack vector a bit better. If I were to write a URL filter, I would never attempt to filter unparsed inputs. And I would ensure the entire system uses the same URL parser. If that cannot be guaranteed you'll have to perform some kind of normalization. But what normalization you have to perform is probably unique to the system if the URL parsers in it are non-conforming as they can be susceptible to different kinds of attacks. For instance, the presentation I linked above mentions `curl`. `curl`'s author doesn't want to implement the URL standard, nor does he want to implement the RFC specifications. Instead `curl` has some kind of garbage-in-gargabe-out policy, which seems like a huge security issue to me, but thus far it hasn't been exploited much(?). Perhaps because people have learned how to normalize URLs before passing them to `curl`. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/893#issuecomment-3707828462 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/893/3707828462@github.com>
Received on Sunday, 4 January 2026 07:38:27 UTC