Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Fix http_parser_parse_url to handle very long URLs #480
Conversation
Earlier http_parser_parse_url would incorrectly parse very long URLs: The resulting off and len parameters would just get truncated. Even though very long URLs are typically considered invalid by servers they could still end up being parsed by http_parser_parse_url. Thus it's better handle this situation gracefully. This change is unfortunately not backwards ABI compatible due to changes in http_parser_url structure field types, hence the major version number bump.
|
I'd also note that the issue of failing to parse very long URLs properly might also have a security impact: For example if a security critical code would use http_parser_parse_url function to parse the path of a request and then examine the path to see if it should be passed thru some filter. Due to this issue the parsed and actual paths could differ, which might result in filter bypass. However, to be exploitable the actual implementation would still been to accept the very long URL. If this PR is deemed too drastic of a change, alternatively adding checks for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Earlier http_parser_parse_url would incorrectly parse very long URLs: The resulting off and len parameters would just get truncated. Even though very long URLs are typically considered invalid by servers they could still end up being parsed by http_parser_parse_url. Thus it's better handle this situation gracefully.
This change is unfortunately not backwards ABI compatible due to changes in http_parser_url structure field types, hence the major version number bump.