[Opa] Another UriParser issue

Rudy Sicard rudy.sicard at mlstate.com
Fri Jan 27 13:13:42 UTC 2012


Hi,

Thank you for reporting this bug and the previous one (on UriParser).
The UriParser does not follow strictly the rfc (which is very bad).
We are now thinking of the best change (i.e. following the rfc strictly) 
without breaking existing code and without reducing security.

Concerning the amazon link, you can provide it directly in a structured 
form as a workaround.

add = {Uri.default_absolute with
             domain = "www.amazon.com"
             path=["ref=as_li_ss_tl" ]
             query = [
                  ("ie","UTF8"),
                  ("tag","..."),
                  //...
             ]} <: Uri.uri

v = <a href={add}></a>

Concerning the non formatted query, you wil have to wait the fix.



On 27/01/2012 04:20, Owen Gunden wrote:
> Amazon referal links, e.g.
>
> http://www.amazon.com/gp/product/B000EVLS2O/ref=as_li_ss_tl?ie=UTF8&tag=phaunaorg-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=B000EVLS2O
>
> do not parse, because of the '=' sign within the path elements
> (ref=as_li_ss_tl is not part of the query string, it's part of the
> path).
>
> Because this doesn't parse, if I go to serve it in an href, the href
> comes up as "javascript:void(0)/*Sanitized URI*/". It's going to be
> hard to make any money like this :).
>
> I believe this code (from core/uri.opa) is involved:
>
>    /**
>     * Decide whether a string represents a well-formed and secure URI.
>     *
>     * @param s A string
>     * @return true if the string represents a valid [http], [https],
> [ftp] or [mailto] URI.
>     */
>    // FIXME, secure? in what sense secure?
>    is_secure(s:string) =
>       match of_string(s) with
>          | {none} ->  false
>          | _      ->  true
>
> Maybe time to revisit that FIXME?
>
> In the meantime, perhaps I can work around this with some kind of raw
> xhtml injections..
>
> On Thu, Jan 26, 2012 at 5:41 PM, Owen Gunden<ogunden at phauna.org>  wrote:
>> This parses:
>>
>> http://www.foo.com/foo/bar?baz=quux
>>
>> But this does not:
>>
>> http://www.foo.com/foo/bar?baz
>>
>> Per the rfc, there's no requirement that the query string be in
>> key/value format: http://tools.ietf.org/html/rfc3986#section-3.4
>>
>>
>> You're going to ask for a patch, right?
>>
>> Patching this seems like it requires a type change through to the
>> interface so I'm not sure how badly you want that change. Right now we
>> have:
>>
>>                  ; query : list((string,string))
>>
>> which I would replace with
>>
>>                 ; query : query
>>
>> and
>>
>>   type query = { empty } / { key_value_pairs:list((string,string)) } /
>> { plain:string }
> _______________________________________________
> Opa mailing list
> Opa at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/opa



More information about the Opa mailing list