You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
vchudnov-g opened this issue
Oct 2, 2024
· 0 comments
Assignees
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
We need to ensure our code works with IPv6. One aspect I noticed is the following:
We have core that defaults the host to use HTTPS. It looks like this:
if":"notinhost:
host+=":443"# pragma: NO COVER
However, IPv6 addresses are allowed in URLs, enclosed in brackets (ref), and IPv6 addresses use colons as separators. The code as written would never default to HTTPS for IPv6. So we should have more robust logic to allow for that.
Separately, the code above is preceded by a regex to look for the URL schema, but it only recognizes HTTP and HTTPS. I suggest we be more general and look for arbitrary schema by examining the host name until the leading colon. This is probably a pedantic point, but there are unregistered schemes being used, and more schemes could conceivably be registered. On principle, we shouldn't be more restrictive than we need to be.
The text was updated successfully, but these errors were encountered:
vchudnov-g
added
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
priority: p2
Moderately-important priority. Fix may not be included in next release.
labels
Oct 2, 2024
priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
We need to ensure our code works with IPv6. One aspect I noticed is the following:
We have core that defaults the host to use HTTPS. It looks like this:
However, IPv6 addresses are allowed in URLs, enclosed in brackets (ref), and IPv6 addresses use colons as separators. The code as written would never default to HTTPS for IPv6. So we should have more robust logic to allow for that.
Separately, the code above is preceded by a regex to look for the URL schema, but it only recognizes HTTP and HTTPS. I suggest we be more general and look for arbitrary schema by examining the host name until the leading colon. This is probably a pedantic point, but there are unregistered schemes being used, and more schemes could conceivably be registered. On principle, we shouldn't be more restrictive than we need to be.
The text was updated successfully, but these errors were encountered: