Conversation

Notices

1. Embed this notice
   daniel:// stenberg:// (bagder@mastodon.social)'s status on Sunday, 16-Jun-2024 06:00:14 JST daniel:// stenberg://

   closing hackerone reports as not applicable without mercy on a Saturday night

   • Embed this notice
     Peter Krefting (nafmo@social.vivaldi.net)'s status on Sunday, 16-Jun-2024 06:00:13 JST Peter Krefting

     in reply to

     I agree that IDN is broken for that kind of URLs, *but* you cannot have IDN in an IP address, so if the IDN decoding gives you an IP address, one could argue that that should not be allowed.

     But IDN would have been so much better if it had just banned that kind of substitution outright. I remember this being a pain when we first implemented IDN at my previous dayjob (Opera Software).

   • Embed this notice
     daniel:// stenberg:// (bagder@mastodon.social)'s status on Sunday, 16-Jun-2024 06:00:14 JST daniel:// stenberg://

     in reply to

     one of them claimed the fact that you can run "curl http://¹²7.0.0.1" is a vulnerability.

     I insist this is IDN working as designed. However crazy it may look like.You just cannot filter URLs like that and assume it will work.

   • Embed this notice
     Peter Krefting (nafmo@social.vivaldi.net)'s status on Sunday, 16-Jun-2024 06:11:02 JST Peter Krefting

     in reply to

     "The ToASCII operation is used before sending an IDN to something that expects ASCII names (such as a resolver) or writing an IDN into a place that expects ASCII names (such as a DNS master file)."

     I read that so that the output of ToASCII is a domain name, to be sent to a DNS server. If the output is an IP address, that is something else.

     Of course, it does not explicitely say that.

   • Embed this notice
     daniel:// stenberg:// (bagder@mastodon.social)'s status on Monday, 17-Jun-2024 00:19:16 JST daniel:// stenberg://

     in reply to

     closed a third. Turns out Windows sometimes do fun IDN-like unicide-to-ascii conversions for command lines that then allows users to insert unicode characters in cmdline argument when run on windows, and they are converted to their ASCII look-alike counterparts. Which can be abused to insert arguments and what not.

     Not a curl security flaw. Just the weirdest Windows feature I've seen in a while. And probably a security problem in many places.

     Peter Krefting repeated this.
   • Embed this notice
     daniel:// stenberg:// (bagder@mastodon.social)'s status on Monday, 17-Jun-2024 00:19:16 JST daniel:// stenberg://

     in reply to

     This is the same fun Windows feature biting PHP: https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/