Url encode for colon9/20/2023 ![]() Getting a URL from an external untrusted party and using it with curl brings several security concerns: Libcurl offers a separate API to its URL parser for this reason, among others.Īpplications may at times find it convenient to allow users to specify URLs for various purposes and that string would then end up fed to curl. There is no right and wrong in URL land, only differences of opinions. Securityĭue to the inherent differences between URL parser implementations, it is considered a security risk to mix different implementations and assume the same behavior!įor example, if you use one parser to check if a URL uses a good host name or the correct auth field, and then pass on that same URL to a second parser, there will always be a risk it treats the same URL differently. Bugs, differences in interpretations and the moving nature of the WHATWG spec does however make it unlikely that multiple parsers treat URLs the same way. URL parsers as implemented in browsers, libraries and tools usually opt to support one of the mentioned specifications. The WHATWG URL spec was written later, is incompatible with the RFC 3986 and changes over time. RFC 3986 is the earlier one, and curl has always tried to adhere to that one (since it shipped in January 2005). RFC 3986 (although URL is called "URI" in there). ![]() The official "URL syntax" is primarily defined in these two different specifications: HTTP/2 URL syntax and their use in curl Specifications ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |