Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:118111 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 29679 invoked from network); 27 Jun 2022 19:41:28 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 27 Jun 2022 19:41:28 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id C597C1804BD for ; Mon, 27 Jun 2022 14:32:16 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE, NUMERIC_HTTP_ADDR,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-pj1-f47.google.com (mail-pj1-f47.google.com [209.85.216.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 27 Jun 2022 14:32:16 -0700 (PDT) Received: by mail-pj1-f47.google.com with SMTP id h9-20020a17090a648900b001ecb8596e43so10637928pjj.5 for ; Mon, 27 Jun 2022 14:32:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adoy.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=thpJq+rYmxvVNcHkiWiA7ccamHmUqnuC/rA7DJskaTs=; b=NbJ43e+4iXIPE47luMSEWWYRT9iMXss+SbLIXBlk8iZHjbmF+aFm+JZnOvuJE/4tRN mVH2bD2ntucdyfyVPuqogEYafpx/MR6NgUHfVzdB3Y9k2CumS7fVWFvKTWwwAKJS39Ta WM3nWIV2jbhY+tF+q03zU3vGr7zVrwJgI7o2/MU/dozkNKt/Gr62dFspWK4TvZ0amx5Z Vv3G80ZSFzV4Fv+QGsmIXcFWsfWuQDNVufO7uijZcYjUl8eZ2hEbuyaoZ8qnTrKla4Zk 044D0fHjte07wG4k547ErlWy2Zdh/KqxRzdeZAdzwYnctMzFXf8+TZtFJP7eyI6KyKhY LieA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=thpJq+rYmxvVNcHkiWiA7ccamHmUqnuC/rA7DJskaTs=; b=fwtjCbADm1vYq/fl4x5SpDGh65geZtsfhmUs71kSfldstAMpxftLPu+gtAY6Ku7FL3 XetJeq4TUimqrsa3NrM3fdsU4rw1gPXF0v/UykPnK/B2GS+stuv2bPuIMzWk36qwgYfg 9bTofkxUwMvVVdceH3b/+ed2/d+KJmWP5CyK0iNgr3/q/cbavo0Nxg4gTJAmIp9gRQle cUIpFXkDIEV1d4tLkYsEEJX3N1Ntdt7xw/m/PRbjpgKHGtFKllswH3WaKQl0HCphmLcR fFK+W8sT3L9ArwGDoB0fx5Wybjz0YroSKRX0BMKtK0Ci97Xl2AagOU3O1dMZWsxnR7B6 4MoA== X-Gm-Message-State: AJIora8hWmKte1vorU/cqWGDgur+4ryXaZYLpusRa1zyP0xyM96qOhPv 4oA86laBc4LflENRbf6SbbXHKVsb66emxezd+tPy6w== X-Google-Smtp-Source: AGRyM1vABdGNS5caFXxo7HacDoataevyLA/aaKU0Q21BlvPoscqLul+qlv3rkoxBuJL+XYyhtDuhmj4A6a+AKNxJeFw= X-Received: by 2002:a17:90b:3850:b0:1ed:7d1:f0a with SMTP id nl16-20020a17090b385000b001ed07d10f0amr18368139pjb.67.1656365535218; Mon, 27 Jun 2022 14:32:15 -0700 (PDT) MIME-Version: 1.0 References: <4511aee0-b5a0-6310-270f-38ae5cfd8a06@gmail.com> In-Reply-To: <4511aee0-b5a0-6310-270f-38ae5cfd8a06@gmail.com> Date: Mon, 27 Jun 2022 17:32:03 -0400 Message-ID: To: Rowan Tommins Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary="0000000000005863f505e274a739" Subject: Re: [PHP-DEV] [RFC] [Under Discussion] New Curl URL API From: pierrick@adoy.net (Pierrick Charron) --0000000000005863f505e274a739 Content-Type: text/plain; charset="UTF-8" Hi Rowan > If I've got a URL, which is already a string, what code would I write to > "do some checks" on it, outside of a unit test? > That's just an example with an old version of PHP, but let's say you have some code that makes requests but only to a specific list of servers, so you want to analyze the URL and check if the host is in a whitelist. If the provided URL is "http://127.0.0.1:11211#@google.com:80/" and that you used PHP <= 7.0.13 your parse_url function would tell you that the domain you're trying to request is google.com so everything is fine, but in fact when the call to curl is made, curl would call 127.0.0.1. This one was fixed but the problem could still occur if the parser is not the same as the one used in the requester. > > If I'm using CurlUrl to "add/delete/overwrite some parts" how is that > not "using it alone as a representation of an URL"? > > What I meant here was that if you're not using curl, you have no advantage of using this class alone to parse since the requester you're using could handle the URL differently. > If I'm writing a PSR-7 object, am I only supposed to use CurlUrl when > interfacing with curl, and generate the string myself for other > purposes? If the implementation I come up with differs from curl's, how > does the user know which is the "real" URL? > > You can use CurlUrl within your implementation of UriInterface but for the same reason if you're using another request engine than curl, you may have the same security problem where curl will not parse the same data. If you want to make sure that your CurlUrl object represents the same thing as your UriInterface you could build the CurlUrl object part by part using your UriInterface. When you assign your CurlUrl to your CurlHandle with the CURLOPT_CURLU option, curl will use the parts directly instead of parsing the URL again, so you're sure that the host will be the one you set with `CurlUrl::setHost()` and so on. Pierrick [1] https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf --0000000000005863f505e274a739--