Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single and double dot segments in paths cannot be represented – Premature decoding of %2e character sequences. #281

Closed
alwinb opened this issue Mar 24, 2017 · 7 comments
Closed

Single and double dot segments in paths cannot be represented – Premature decoding of %2e character sequences. #281

alwinb opened this issue Mar 24, 2017 · 7 comments

Comments

@alwinb
Copy link
Contributor

alwinb commented Mar 24, 2017

It is currently impossible to represent URLs (note: URLs, not URL-strings) that have paths that contain single or double dot segments, making it impossible, for example, to address files or directories named . or ...

Example: According to the specification, the URL-string http://asd/efg/%2e%2e/ should resolve to http://asd/. The /%2e%2e/ part is considered equivalent to /../ and is hence interpreted as a move to the parent directory. The same holds forhttp://asd/efg/.%2e/.

I propose to change this on account of the following:

  • Currently (at least) Safari does not shorten the url, and maintains the /%2e%2e/ segment in the path. As long as there is no consensus, we may be still able to change this!

  • It should be possible to represent URLs (not URL-strings) with single and double dot path components as URL-strings.

  • It is not elegant and looks like a standardization of buggy parsing/ resolution algorithms. I cannot help but see this as a 'premature decoding' of the %2e sequences.

I see . and .. sequences in URL-strings as syntactic constructs, similar to the ?, # and / characters. URLs with path components that contain one of the ?, # or / characters can be represented by percent encoding them, e.g. by using %3f, %23, or %2f. Why not allow the same here – while we still can?
@annevk
Copy link
Member

annevk commented Mar 24, 2017

Because the difference between URL parsers can be exploited by attackers, so it's better to be conservative. Did you test Safari Technology Preview? I'm pretty sure they've fixed this.

@achristensen07
Copy link
Collaborator

Yes, I have indeed fixed this in current WebKit. You can verify this with Safari Technology Preview at https://developer.apple.com/safari/technology-preview/
We discussed this in #87

@achristensen07
Copy link
Collaborator

https://bugs.webkit.org/show_bug.cgi?id=164142 was WebKit conforming to the resolution of #87

@annevk
Copy link
Member

annevk commented Mar 24, 2017

Thanks for confirming. Closing this since we don't want to change this because of security. Happy to answer any further questions though @alwinb .

@annevk annevk closed this as completed Mar 24, 2017
@alwinb
Copy link
Contributor Author

alwinb commented Mar 24, 2017

So after reading up a bit, (I need to let it sink in for a while) is it correct that at the moment, no percent decoding (thus normalization) is done on the path at all except for only and exactly those single and double dot path sequences, and that this is special-cased to prevent servers from being tricked to move beyond their document root?

@annevk
Copy link
Member

annevk commented Mar 26, 2017

Yes.

@alwinb
Copy link
Contributor Author

alwinb commented Mar 27, 2017

Thanks.

For the record, I do think the solution is somewhat unsatisfactory. I appreciate the safety issue, but I'm not sure about the tradeoff, nor the effectiveness. Servers that fall for such an attack may fall for http://example.com/..%2fsensitive_info.txt as well, for example.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alwinb @achristensen07 @annevk