From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-2.9 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_BL_SPAMCOP_NET,SPF_HELO_PASS, SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from nue.mailmanlists.eu (nue.mailmanlists.eu [IPv6:2a01:4f8:1c0c:6b10::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 113111F4C1 for ; Mon, 28 Nov 2022 23:46:31 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.b="Y3re3RKv"; dkim-atps=neutral Received: from nue.mailmanlists.eu (localhost [127.0.0.1]) by nue.mailmanlists.eu (Postfix) with ESMTP id 7987A7E7B3; Mon, 28 Nov 2022 23:46:20 +0000 (UTC) Authentication-Results: nue.mailmanlists.eu; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=ruby-lang.org header.i=@ruby-lang.org header.a=rsa-sha256 header.s=s1 header.b=Y3re3RKv; dkim-atps=neutral Received: from xtrwkhkc.outbound-mail.sendgrid.net (xtrwkhkc.outbound-mail.sendgrid.net [167.89.16.28]) by nue.mailmanlists.eu (Postfix) with ESMTPS id A6D907E794 for ; Mon, 28 Nov 2022 23:46:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ruby-lang.org; h=from:references:subject:mime-version:content-type: content-transfer-encoding:list-id:to:cc; s=s1; bh=IW9FqKGB1t61pkxRB/4TFWC+smeCR9XMEJ6c3McIwzw=; b=Y3re3RKvChNCn9VOGOsOBHggBvamU6We7Ce3qdengNGzoExp47Ja/0SAmV+hPqmDU1+q hE3Neen6RxxZfY5wadl6Rltrexth6PcBa4uz7ZH/qIaY8j38ITQJ8UdLjnri4PLGT5CJWT mydAIIf3hTubhYc6t1La+UCeht3212URnkFtQNsRgiN5lCLsaCYQ+BLFlJdWAKqpzJ02/P h64v0bbGPzs68VeuHlHbvzAjmRUC24oJKeKd+MGb2MTBHXJIDkWS6LU2/NJ3ceWTtfetGU YGC9cken0QYAwzAm1XOSk2NbnsJTVaLekpdDA5SbymjmTBGVE0DfnTw6fZl7XkRQ== Received: by filterdrecv-6b9548745c-hc4x9 with SMTP id filterdrecv-6b9548745c-hc4x9-1-63854845-3E 2022-11-28 23:46:13.927899557 +0000 UTC m=+952682.492695148 Received: from herokuapp.com (unknown) by geopod-ismtpd-6-6 (SG) with ESMTP id TggIKFjCTsm1_CvQZt3w3g for ; Mon, 28 Nov 2022 23:46:13.820 +0000 (UTC) Date: Mon, 28 Nov 2022 23:46:13 +0000 (UTC) From: straight-shoota Message-ID: References: Mime-Version: 1.0 X-Redmine-Project: ruby-master X-Redmine-Issue-Tracker: Bug X-Redmine-Issue-Id: 19157 X-Redmine-Issue-Author: straight-shoota X-Redmine-Sender: straight-shoota X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-Redmine-MailingListIntegration-Message-Ids: 87388 X-SG-EID: =?us-ascii?Q?VQKJyadRMgaFvhQDqkvtJipQVC6yeCRbqcvtgRNrDUYlsBflnGzb5XU2nSGKhW?= =?us-ascii?Q?z6YrMv=2FEGGjzxoWuxjYa5vqy3aocG46yNYPH44W?= =?us-ascii?Q?MM=2FjABHEp92bp0r2xXVJRU5wHoW1JU9aHY7A=2FLN?= =?us-ascii?Q?sbEqoqI+uU0OFxUeWkA+RTD+lfFcI7koNVv+uYM?= =?us-ascii?Q?os4k=2FrsHupKFwmJpYoR7KF+t0M0gUAnmtUW3JDk?= =?us-ascii?Q?SMNDS7OXdjZKa3t3fu8gAxHBWeJq65XlU2GpR7L?= =?us-ascii?Q?clZzXuN7OFnQTHBx5oMl70PG6ZNcFqGpaW0OBF1?= =?us-ascii?Q?8YI=3D?= To: ruby-core@ml.ruby-lang.org X-Entity-ID: b/2+PoftWZ6GuOu3b0IycA== Message-ID-Hash: KAG6KTYFPHC6M3HGVZ4VMKG5G4XB7SZO X-Message-ID-Hash: KAG6KTYFPHC6M3HGVZ4VMKG5G4XB7SZO X-MailFrom: bounces+313651-b711-ruby-core=ml.ruby-lang.org@em5188.ruby-lang.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.3 Precedence: list Reply-To: Ruby developers Subject: [ruby-core:111040] [Ruby master Bug#19157] URI bad component validation can be tricked List-Id: Ruby developers Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Issue #19157 has been reported by straight-shoota (Johannes M=FCller). ---------------------------------------- Bug #19157: URI bad component validation can be tricked https://bugs.ruby-lang.org/issues/19157 * Author: straight-shoota (Johannes M=FCller) * Status: Open * Priority: Normal * ruby -v: 3.1.3 * Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN ---------------------------------------- `URI::HTTP` checks the validity of the URI components. For example, the pat= h of a URI with authority component must be either empty or start with a sl= ash. This validation applies on the `.build` constructor as well as on the `path= ` setter. But it can be tricked when setting an empty authority component and scheme = before setting a relative path, and then setting the authority and scheme a= gain. This produces an invalid and incorrect URI. ``` ruby require "uri" uri =3D URI::HTTP.build({}) uri.scheme =3D nil uri.path =3D "resource" uri.host =3D "example.com" # this should raise URI::InvalidComponentError uri.scheme =3D "http" uri.to_s # =3D> "http://example.comresource" ``` --=20 https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-c= ore.ml.ruby-lang.org/