---------------------------------------- | |
hURLs come back to bite. | |
February 09th, 2024 | |
---------------------------------------- | |
I have recently noticed on literally every gopher server which I have | |
looked at does some funky stuff with HTML/XML/XHTML page which they | |
generate for hURL support... I expect to be able to write a URL raw into | |
a gophermap and have it just work, but, in practice, there are some | |
major issues... | |
Take this working example URL that contains the quotation mark character | |
(tabs have been replaced with pipes): | |
h|Amazing URL yay|URL:https://radar.zcrayfish.soy/"uhoh".html| | |
gopher.zcrayfish.soy|70 | |
The problem, the quotation mark character destroys the anchor on the | |
generated page... Now, RFC1738 says "All unsafe characters must always | |
be encoded within a URL", and it specifically includes the quotation | |
mark character as an example of one which is sometimes unsafe. | |
Alternatively, for folks not seeking compliance with the URL RFCs, HTML | |
entities can be used for the reserved characters which are causing | |
issues. | |
In addition to breaking some legitimate URLs, this is a security issue | |
which allows arbitrary code insertion, including XSS attacks. For POC | |
point curl against any gopher server with a hURL and just add the | |
following to the end of your URL: | |
"><script%20type="text/javascript">alert("I%20am%20an%20alert%20box!"); | |
</script> | |
For the servers that generate the hURL page in HTML, anyone who tries to | |
render it with javascript enabled is absolutely going to get a popup. | |
The good news: When a gopher server serves the hURL page as XML+XHTML | |
Strict, browsers that render the page as XML might not run the | |
javascript because the XML is malformed. So yeah, fuck using HTML 3.2 | |
for that page. | |
---------------------------------------- | |
Back to phlog index | |
gopher.zcrayfish.soy gopher root | |
853 folks realized that hURL reinventing the wheel over type w was a very | |
bad idea. | |
Comments are enabled for this post, select here to leave yours | |
Comments have been left on this post: | |
This is fixed in geomyidae. | |
Posted Sat Feb 10 11:36:08 UTC 2024 by p508932fb.dip0.t-ipconnect.de. | |
------------------------------------------------------------------------ | |
The security side of this is fixed in the most recent versions of | |
bucktooth and geomyidae. Breaking change though because folks who were | |
using the reserved characters in their gophermap hURL entries will have | |
to change them somehow. Not a hypothetical. | |
Posted Tue Feb 20 15:19:27 UTC 2024 by zcrayfish | |
------------------------------------------------------------------------ | |
I'm reading through geomyidae's source right now, and it disallows a | |
plain ampersand character! That means you CANNOT link to a URL with a | |
query like http://example.com?foo&blah, not even with escaping (and if | |
you URL escape & to %38, it's a completely different URL since & has | |
special meaning in HTTP). The correct solution is for the Gopher server | |
itself to convert "unsafe" characters to HTML character entities when | |
generating an HTML redirect page. So ampersand becomes &, double | |
quote becomes ", single quote becomes ', etc. Escaping | |
characters like this shouldn't be the responsibility of the gophermap | |
author (and if the gophermap HTML-escaped characters in a URL, a proper | |
server would escape them AGAIN, turning & into &amp;. Ew!). -cw | |
Posted Thu Feb 27 23:18:27 UTC 2025 by 174-17-246-5.phnx.qwest.net. | |
------------------------------------------------------------------------ | |
Sorry, I meant URL escaping & to %26 (it's 38 decimal). -cw | |
Posted Thu Feb 27 23:19:42 UTC 2025 by 174-17-246-5.phnx.qwest.net. | |
------------------------------------------------------------------------ |