On 4/27/19 8:39 AM, Lukas Fleischer wrote: > On Sun, 06 Jan 2019 at 18:56:04, Eli Schwartz wrote: >> php's parse_url does not handle proper rfc3986 URIs, specifically, it >> does not handle the case of an empty authority such as file:/// or >> local:/// and only handles the case of file by applying a special case >> for file itself. These URIs are deemed "malformed" and return false. >> >> When such URIs were used, we would end up always treating the package >> source as a filename (despite that this is incorrect, since plain files >> will be correctly handled by parse_url, we will correctly determine that >> there is no schema, and we will go to the source_file_uri). >> >> Instead, handle the case of a "malformed" URI by treating it as another >> example of a source with a schema, and linking it as-is. > > Sorry for replying only now, this somehow slipped through the cracks. > But I realized it's not yet in master, so it's probably not too late! > > What happens if somebody uses "javascript:alert('XSS!')" in their > sources? I hope it is not converted to a link? > > I think we shouldn't create links for anything other than HTTP and HTTPs > schemes (and maybe FTP as well). These links are just for convenience > and probably not used very often. So it's likely a good idea to err on > the safe side.
Ah... yeah, that is a pretty good point. I'd probably want to display that as straight up plaintext. It definitely should not be appended to the cgit url if it is a valid schema, though. And regarding not making a link at all (e.g. for the common git:// protocol), how would that play with renamed sources like "$pkgname::git://example.com/project-something"? I wish php had a schema validator that wasn't broken... python's urlparse cleverly handles all this nonsense, and you can just refuse to print urls with ParseResult(scheme='javascript',...). Maybe we should do string comparisons to reject javascript schemes? Is there anything else which matters in this context? -- Eli Schwartz Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature