----------------------------------------
hURLs come back to bite.
February 09th, 2024
----------------------------------------
I have recently noticed on literally every gopher server which I have
looked at does some funky stuff with HTML/XML/XHTML page which they
generate for hURL support... I expect to be able to write a URL raw into
a gophermap and have it just work, but, in practice, there are some
major issues...
Take this working example URL that contains the quotation mark character
(tabs have been replaced with pipes):
h|Amazing URL yay|URL:https://radar.zcrayfish.soy/"uhoh".html|
gopher.zcrayfish.soy|70
The problem, the quotation mark character destroys the anchor on the
generated page... Now, RFC1738 says "All unsafe characters must always
be encoded within a URL", and it specifically includes the quotation
mark character as an example of one which is sometimes unsafe.
Alternatively, for folks not seeking compliance with the URL RFCs, HTML
entities can be used for the reserved characters which are causing
issues.
In addition to breaking some legitimate URLs, this is a security issue
which allows arbitrary code insertion, including XSS attacks. For POC
point curl against any gopher server with a hURL and just add the
following to the end of your URL:
"><script%20type="text/javascript">alert("I%20am%20an%20alert%20box!");
</script>
For the servers that generate the hURL page in HTML, anyone who tries to
render it with javascript enabled is absolutely going to get a popup.
The good news: When a gopher server serves the hURL page as XML+XHTML
Strict, browsers that render the page as XML might not run the
javascript because the XML is malformed. So yeah, fuck using HTML 3.2
for that page.
----------------------------------------
DIR Back to phlog index
DIR gopher.zcrayfish.soy gopher root
1207 folks realized that hURL reinventing the wheel over type w was a very
bad idea.
Comments have been left on this post:
This is fixed in geomyidae.
Posted Sat Feb 10 11:36:08 UTC 2024 by p508932fb.dip0.t-ipconnect.de.
------------------------------------------------------------------------
The security side of this is fixed in the most recent versions of
bucktooth and geomyidae. Breaking change though because folks who were
using the reserved characters in their gophermap hURL entries will have
to change them somehow. Not a hypothetical.
Posted Tue Feb 20 15:19:27 UTC 2024 by zcrayfish
------------------------------------------------------------------------
I'm reading through geomyidae's source right now, and it disallows a
plain ampersand character! That means you CANNOT link to a URL with a
query like http://example.com?foo&blah, not even with escaping (and if
you URL escape & to %38, it's a completely different URL since & has
special meaning in HTTP). The correct solution is for the Gopher server
itself to convert "unsafe" characters to HTML character entities when
generating an HTML redirect page. So ampersand becomes &, double
quote becomes ", single quote becomes ', etc. Escaping
characters like this shouldn't be the responsibility of the gophermap
author (and if the gophermap HTML-escaped characters in a URL, a proper
server would escape them AGAIN, turning & into &amp;. Ew!). -cw
Posted Thu Feb 27 23:18:27 UTC 2025 by 174-17-246-5.phnx.qwest.net.
------------------------------------------------------------------------
Sorry, I meant URL escaping & to %26 (it's 38 decimal). -cw
Posted Thu Feb 27 23:19:42 UTC 2025 by 174-17-246-5.phnx.qwest.net.
------------------------------------------------------------------------