You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Look carefully at that URL and where the "hostname" and "password" parts are. The password should never come after the hostname!
This could have also security implications. Most other URL parsers would say the hostname is "whydoesthishappen" (urlA) or empty (urlB), taking the last "@" in the authority section as the credentials/hostname delimiter. If somebody had control over the username, they also have control over the hostname because of how these differences.
Environment
macOS 11.6, Xcode 13.1 (13A1030d)
Additional Detail from JIRA
md5: 2c594f7338b482b3ecb5195478ce3ffd
Issue Description:
Look carefully at that URL and where the "hostname" and "password" parts are. The password should never come after the hostname!
This could have also security implications. Most other URL parsers would say the hostname is "whydoesthishappen" (urlA) or empty (urlB), taking the last "@" in the authority section as the credentials/hostname delimiter. If somebody had control over the username, they also have control over the hostname because of how these differences.
As a bonus, check out this:
Here, we have a single component which appears as both hostname AND password
The text was updated successfully, but these errors were encountered: