Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SR-15514] URL parser allows any percent-encoding in IPv6 addresses #3190

Open
karwa opened this issue Nov 23, 2021 · 2 comments
Open

[SR-15514] URL parser allows any percent-encoding in IPv6 addresses #3190

karwa opened this issue Nov 23, 2021 · 2 comments
Labels
bug Foundation

Comments

@karwa
Copy link
Contributor

karwa commented Nov 23, 2021

Previous ID SR-15514
Radar None
Original Reporter @karwa
Type Bug
Environment

macOS 11.6, Xcode 13.1 (13A1030d)

Additional Detail from JIRA
Votes 0
Component/s Foundation
Labels Bug
Assignee None
Priority Medium

md5: c1a7eaf07c3bf6c01c786b9dbc02d2b8

Issue Description:

This seems potentially unsafe:

let urlA = URL(string: "http://[::1%0Aen0]/cd")!
print(urlA)        // "http://[::1%0Aen0]/cd"
print(urlA.host)   // "::1\nen0"  --- includes a newline!

This seems to be for IPv6 zone IDs. In that case, it's probably a good idea to only recognise the "%25" (percent-encoded ASCII percent sign, 0x25) and fail on anything else.
@swift-ci
Copy link
Contributor

swift-ci commented Dec 3, 2021

Comment by Berik Visschers (JIRA)

URL is a wrapper on CFURL*, which comes from Foundation, which is a closed source apple framework.

Although I'm not 100% sure on the best way to file this, I think it makes more sense to report this issue directly to Apples Feedback Assistant or on the developer forums.

@karwa
Copy link
Contributor Author

karwa commented Dec 7, 2021

berikv (JIRA User) Apple's feedback/radar system is confidential, which is great if you need to include some proprietary code in your bug report, but not great for transparency and tracking the progress of reported bugs (which is why community sites such as http://www.openradar.appspot.com/ exist).

As this affects open-source code, I consider this to be the appropriate place to file this bug. Apple has a radar sync system to duplicate it to their internal bug-tracker.

@swift-ci swift-ci transferred this issue from apple/swift-issues Apr 25, 2022
@shahmishal shahmishal transferred this issue from apple/swift May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Foundation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karwa @swift-ci