[langsec-discuss] URL parsing

Will Sargent will.sargent at gmail.com
Sun Dec 8 02:01:43 UTC 2013


Apparently URLEncoder doesn’t even do HTTP form encoding correctly:

http://notes.richdougherty.com/2013/07/url-path-segment-encoding.html

Will.

From: Michael E. Locasto Michael E. Locasto
Reply: locasto at ucalgary.ca locasto at ucalgary.ca
Date: December 7, 2013 at 1:05:05 PM
To: langsec-discuss at mail.langsec.org langsec-discuss at mail.langsec.org
Subject:  Re: [langsec-discuss] URL parsing  
I have found lcamtuf's Browser Security Handbook to be a particularly  
enlightening resource on this topic for my students:  

http://code.google.com/p/browsersec/wiki/Part1#Uniform_Resource_Locators  

On 12/7/13 12:36 PM, Will Sargent wrote:  
> While we're on the topic of "X being broken" -- apparently URL parsing has  
> to be done in stages, and each segment of a URL has different parsing  
> rules. And java.net.URLEncoder is only useful for HTTP form encoding, not  
> actual URLs.  
>  
> http://blog.palominolabs.com/2013/10/03/creating-urls-correctly-and-safely/  
>  
> Which means everyone using Java, over the last 20 years or so, has been  
> parsing URLs the wrong way. I'm not sure there's enough face palm.  
>  
> Will.  
>  
>  
>  
> _______________________________________________  
> langsec-discuss mailing list  
> langsec-discuss at mail.langsec.org  
> https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss  
>  

_______________________________________________  
langsec-discuss mailing list  
langsec-discuss at mail.langsec.org  
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.langsec.org/pipermail/langsec-discuss/attachments/20131207/1a8116e6/attachment.html>


More information about the langsec-discuss mailing list