On 8/24/25 4:33 AM, Roy T. Fielding wrote:
> Note that allowing link local identifiers in apr means that all users of the
> API are subject to the security considerations of
> RFC6874.
>
> 4 <https://datatracker.ietf.org/doc/html/rfc6874#section-4>. Security
> Considerations
>
> The security considerations from the URI syntax specification
> [RFC3986 <https://datatracker.ietf.org/doc/html/rfc3986>] and the IPv6
> Scoped Address Architecture specification
> [RFC4007 <https://datatracker.ietf.org/doc/html/rfc4007>] apply. In
> particular, this URI format creates a specific
> pathway by which a deceitful zone index might be communicated, as
> mentioned in the final security consideration of the Scoped Address
> Architecture specification. It is emphasised that the format is
> intended only for debugging purposes, but of course this intention
> does not prevent misuse.
>
> To limit this risk, implementations MUST NOT allow use of this format
> except for well-defined usages, such as sending to link-local
> addresses under prefix fe80::/10. At the time of writing, this is
> the only well-defined usage known.
>
> An HTTP client, proxy, or other intermediary MUST remove any ZoneID
> attached to an outgoing URI, as it has only local significance at the
> sending host.
>
>
> Is this feature needed somewhere, or just being implemented because it is in
> an RFC?
>
I tried to address the security concerns via the below patch:
Index: test/testuri.c
===================================================================
--- test/testuri.c (revision 1927952)
+++ test/testuri.c (working copy)
@@ -97,6 +97,11 @@
0, "http", "[fe80::1%25iface]", NULL, NULL, "fe80::1%iface", NULL,
"/", NULL, NULL, 0
},
{
+ /* https://datatracker.ietf.org/doc/html/rfc6874 */
+ "http://[ffff::1%25iface]/";,
+ 0, "http", "[ffff::1%25iface]", NULL, NULL, "ffff::1%25iface", NULL,
"/", NULL, NULL, 0
+ },
+ {
"http://localhost";,
0, "http", "localhost", NULL, NULL, "localhost", NULL, NULL, NULL,
NULL, 0
},
@@ -214,6 +219,11 @@
0, "fe80::1%iface", "443", 443
},
{
+ /* https://datatracker.ietf.org/doc/html/rfc6874 */
+ "[ffff::1%25iface]:443",
+ 0, "ffff::1%25iface", "443", 443
+ },
+ {
"127.0.0.1:443",
0, "127.0.0.1", "443", 443
},
Index: uri/apr_uri.c
===================================================================
--- uri/apr_uri.c (revision 1928016)
+++ uri/apr_uri.c (working copy)
@@ -80,13 +80,23 @@
*have_zone_id = 0;
- if (len < 3) {
- /* Need *at least* the three characters for a percent-encoded percent
- * sign.
+ if (len < 3 + 5) {
+ /*
+ * We neeed *at least* the three characters for a percent-encoded
+ * percent sign. Furthermore scope id's are only allowed for link-local
+ * addresses under prefix fe80::/10.
*/
return APR_SUCCESS;
}
+ if (strncasecmp(ipv6addr, "fe80:", 5)) {
+ /*
+ * Scope id's are only allowed for link-local addresses under prefix
+ * fe80::/10.
+ */
+ return APR_SUCCESS;
+ }
+
s = memchr(ipv6addr, '%', len);
if (s != NULL && s < ipv6addr + len - 2) {
/* RFC3986 is pretty specific about how to percent encode, but
@@ -134,7 +144,11 @@
size_t offset;
char *hostcopy;
- if (s == NULL) {
+ if ((s == NULL) || strncasecmp(uptr->hostname, "fe80:", 5)) {
+ /*
+ * Scope id's are only allowed for link-local addresses under prefix
+ * fe80::/10.
+ */
return uptr->hostname;
}
Hence we only do all this for fe80::/10 networks. For other networks we don't
care and leave everything as is as we did before the
initial patch. Still or further concerns?
Regards
RĂ¼diger
