User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Steps to reproduce: Version 2.5.0 https://github.com/servo/rust-url (This issue does not occur in Firefox, regardless of the setting of network.url.useDefaultURI. I have contacted info@servo.org and have been informed that I may post it here.) servo/rust-url does not properly parse some URLs (hostnames). ---- ## sample 1 The URL https://xn--test-.example.com is a URL that can be used by Google Chrome, for example. However, rust-url parses this as https://test.example.com. (code 1) use url::Url; fn main() { let url = Url::parse("https://xn--example-wz6d.com"); match url { Ok(v) => println!("ok {}", v), Err(e) => println!("err {}", e), }; let url = Url::parse("https://xn--example-.com"); match url { Ok(v) => println!("ok {}", v), Err(e) => println!("err {}", e), }; } ## sample 2 (deno) deno (https://deno.com/ ) and WinterJS (https://github.com/wasmerio/winterjs ) are well-known JavaScript runtimes. It internally parses URLs using rust-url and returns improper parsed results. (code 2) console.log(new URL("http://xn--test-.example.com").origin); ## sample 3 other software and services HTTP Request Library https://crates.io/crates/reqwest HTTP Request Tool https://github.com/ducaale/xh DNS Tools https://github.com/hickory-dns/hickory-dns If you are a Discord ( https://discord.com/ ) user, try sending the following URL in a chat https://xn--developer-.mozilla.org/ You will see the OGP for https://developer.mopzilla.org. https://crates.io/crates/reqwesthttps://github.com/hickory-dns/hickory-dns ----- As an actual vulnerability, I have confirmed that it is possible to bypass CSRF Protection in Web Framework Hono. Hono performs URL parsing when comparing URL and Origin headers. `origin === new URL(c.req.url).origin` https://github.com/honojs/hono/blob/d3403942c12c16847b0808cee1dcb0a2d6c81d1b/src/middleware/csrf/index.ts#L17 Thus, the following request bypasses the CSRF filter when running on deno. test.example.com --> xn--test-.example.com There may be other libraries or sites with similar or more serious problems. ---- This URL is not appropriate for the specification, but clients such as Chrome allow this domain name, and if more products use rust or deno, the problem may become apparent. Possible examples: (not a real problem at this time) - Domain name dependent validation such as ACME challenges may be bypassed and inappropriate certificates may be issued - DKIM, CSRF protection, etc. may be bypassed Actual results: (code 1 actual) ok https://test.example.com/ ok https://test.example.com/ (code 2 actual) https://test.example.com Expected results: (code 1 expected) ok https://test.example.com/ ok https://xn--test-.example.com/ ( or "err invalid international domain name") (code 2 expected) https://xn--test-.example.com (or parse error)
Bug 1887898 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Steps to reproduce: Version 2.5.0 https://github.com/servo/rust-url (This issue does not occur in Firefox, regardless of the setting of network.url.useDefaultURI. I have contacted info@servo.org and have been informed that I may post it here.) servo/rust-url does not properly parse some URLs (hostnames). ---- ## sample 1 The URL https://xn--test-.example.com is a URL that can be used by Google Chrome, for example. However, rust-url parses this as https://test.example.com. (code 1) ```js use url::Url; fn main() { let url = Url::parse("https://xn--example-wz6d.com"); match url { Ok(v) => println!("ok {}", v), Err(e) => println!("err {}", e), }; let url = Url::parse("https://xn--example-.com"); match url { Ok(v) => println!("ok {}", v), Err(e) => println!("err {}", e), }; } ``` ## sample 2 (deno) deno (https://deno.com/ ) and WinterJS (https://github.com/wasmerio/winterjs ) are well-known JavaScript runtimes. It internally parses URLs using rust-url and returns improper parsed results. (code 2) ```js console.log(new URL("http://xn--test-.example.com").origin); ``` ## sample 3 other software and services HTTP Request Library https://crates.io/crates/reqwest HTTP Request Tool https://github.com/ducaale/xh DNS Tools https://github.com/hickory-dns/hickory-dns If you are a Discord ( https://discord.com/ ) user, try sending the following URL in a chat https://xn--developer-.mozilla.org/ You will see the OGP for https://developer.mopzilla.org. https://crates.io/crates/reqwesthttps://github.com/hickory-dns/hickory-dns ----- As an actual vulnerability, I have confirmed that it is possible to bypass CSRF Protection in Web Framework Hono. Hono performs URL parsing when comparing URL and Origin headers. `origin === new URL(c.req.url).origin` https://github.com/honojs/hono/blob/d3403942c12c16847b0808cee1dcb0a2d6c81d1b/src/middleware/csrf/index.ts#L17 Thus, the following request bypasses the CSRF filter when running on deno. test.example.com --> xn--test-.example.com There may be other libraries or sites with similar or more serious problems. ---- This URL is not appropriate for the specification, but clients such as Chrome allow this domain name, and if more products use rust or deno, the problem may become apparent. Possible examples: (not a real problem at this time) - Domain name dependent validation such as ACME challenges may be bypassed and inappropriate certificates may be issued - DKIM, CSRF protection, etc. may be bypassed Actual results: (code 1 actual) ok https://test.example.com/ ok https://test.example.com/ (code 2 actual) https://test.example.com Expected results: (code 1 expected) ok https://test.example.com/ ok https://xn--test-.example.com/ ( or "err invalid international domain name") (code 2 expected) https://xn--test-.example.com (or parse error)