Skip to content

URL Sanitizer considers URL as invalid if it has *both* userinfo and %40 #2042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jlahijani opened this issue Feb 12, 2025 · 2 comments
Open

URL Sanitizer considers URL as invalid if it has *both* userinfo and %40 #2042

jlahijani opened this issue Feb 12, 2025 · 2 comments
Labels
type: sanitizer

Comments

@jlahijani
Copy link

jlahijani commented Feb 12, 2025
edited
Loading

=== IGNORE THIS, SEE COMMENTS DIRECTLY AFTERWARD ===

Imagine you have this URL:

$url = "https://myusername:mypassword@example.com/some/page";

As you can see, it's using the following userinfo credentials in the URL:

  • username: myusername
  • password: mypassword

ProcessWire's URL sanitizer thinks that's invalid, however PHP's FILTER_VALIDATE_URL correctly accepts it.

echo filter_var($url, FILTER_VALIDATE_URL) ? 'valid' : 'invalid'; // valid (correct)
echo "\n";
echo $sanitizer->url($url) ? 'valid' : 'invalid'; // invalid (incorrect)

The spec for how URLs can be formatted is here:
https://datatracker.ietf.org/doc/html/rfc3986

The part about userinfo is here:
https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.1

Note how it says:

   Use of the format "user:password" in the userinfo field is
   deprecated.  Applications should not render as clear text any data
   after the first colon (":") character found within a userinfo
   subcomponent unless the data after the colon is the empty string
   (indicating no password).  Applications may choose to ignore or
   reject such data when it is received as part of a reference and
   should reject the storage of such data in unencrypted form.  The
   passing of authentication information in clear text has proven to be
   a security risk in almost every case where it has been used.

This came up because I have to store a URL with userinfo in it as part of a webhook / callback with a 3rd party service. I am using a URL field, but unfortunately it won't save the value since it has userinfo in it. I could switch it to a regular Text field, but I'd prefer not to.

If you decide to support this, please make sure this more advanced URL works (ie, having %40 as part of the username or password):

$url = "https://myusername%40mydomain.com:mypassword@example.com/foo-%40-bar";
@Toutouwai
Copy link

I can't reproduce here. The sanitized version of the URL is identical to the original URL, i.e. the sanitizer doesn't find any problem with the URL.

Image

@jlahijani
Copy link
Author

jlahijani commented Feb 12, 2025
edited
Loading

@Toutouwai You are right.

What I should have said is having userinfo works, having %40 works, but having a url with both of them present DOES NOT work:

$url = "https://myusername:mypassword@example.com/foo-%40-bar";
echo filter_var($url, FILTER_VALIDATE_URL) ? 'valid' : 'invalid'; // valid (correct)
echo "\n";
echo $sanitizer->url($url) ? 'valid' : 'invalid'; // invalid (incorrect)

@jlahijani jlahijani changed the title URL Sanitizer and doesn't support 'userinfo' subcomponent as defined by RFC3986 URL Sanitizer considers URL as invalid if it has *both* userinfo and %40 Feb 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: sanitizer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlahijani @Toutouwai @matjazpotocnik