Is it too much to ask a security vulnerability company to know how to craft a valid URL?
-
Is it too much to ask a security vulnerability company to know how to craft a valid URL?
-
@olivierlacan what's invalid there?
-
@thisismissem @olivierlacan the square brackets must be encoded
-
@jasonkarns @olivierlacan oh? I'm so uaed to seeing them decoded
-
@thisismissem it's common, and most servers accept them. but they violate the spec.
https://www.rfc-editor.org/rfc/rfc3986
{literal IP address v6 or greater}..."This is the only place where square bracket characters are allowed in the URI syntax."
in particular, the `query` segment is constructed: `query = *( pchar / "/" / "?" )` where `pchar = unreserved / pct-encoded / sub-delims / ":" / "@"`
(square brackets are reserved general delimiters thus must be pct-encoded in query segment)
-
@thisismissem now i'm digging further just because
(i don't have any of this memorized, but look it up constantly)rfc1738 (which 3986 updates) includes brackets in the "unsafe" category that require encoding as well.
it uses a slightly different BNF, but is noteworthy that brackets still required encoding even then. (rfc1738 is from 1994 as opposed to rfc3986 from 2005) so the square brackets have required encoding since, effectively, the beginning
-
@jasonkarns maybe it's just browsers would show them decoded in the URL bar? I've never seen them encoded before
