Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SR-15513] URL parser finds a password after a hostname #3191

Open
karwa opened this issue Nov 23, 2021 · 0 comments
Open

[SR-15513] URL parser finds a password after a hostname #3191

karwa opened this issue Nov 23, 2021 · 0 comments
Labels
bug Foundation

Comments

@karwa
Copy link
Contributor

karwa commented Nov 23, 2021

Previous ID SR-15513
Radar None
Original Reporter @karwa
Type Bug
Environment

macOS 11.6, Xcode 13.1 (13A1030d)

Additional Detail from JIRA
Votes 0
Component/s Foundation
Labels Bug
Assignee None
Priority Medium

md5: 2c594f7338b482b3ecb5195478ce3ffd

Issue Description:

let urlA = URL(string: "http://@hostname:@password:@whydoesthishappen/")!
print(urlA)          // "http://@hostname:@password:@whydoesthishappen/"
print(urlA.host)     // "hostname"
print(urlA.password) // "@password"

let urlB = URL(string: "http://@hostname:@password:@whydoesthishappen@/")!
print(urlB)          // "http://@hostname:@password:@whydoesthishappen@/"
print(urlB.host)     // "hostname"
print(urlB.password) // "@password:@whydoesthishappen"

Look carefully at that URL and where the "hostname" and "password" parts are. The password should never come after the hostname!

This could have also security implications. Most other URL parsers would say the hostname is "whydoesthishappen" (urlA) or empty (urlB), taking the last "@" in the authority section as the credentials/hostname delimiter. If somebody had control over the username, they also have control over the hostname because of how these differences.

As a bonus, check out this:

let urlC = URL(string: "http://:@hostname_and_password:@/")!
print(urlC)          // "http://:@hostname_and_password:@/"
print(urlC.host)     // "hostname_and_password"
print(urlC.password) // "@hostname_and_password:"

Here, we have a single component which appears as both hostname AND password
@swift-ci swift-ci transferred this issue from apple/swift-issues Apr 25, 2022
@shahmishal shahmishal transferred this issue from apple/swift May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Foundation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@karwa