-
-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URLs are not serialized according to WHATWG spec and compare differently #1167
Comments
I think that might be implemented this way to prevent security vulnerabilities given the contexts where yarl is used.. |
Currently we only normalize the path if the host (netloc) is set If you add a host, then the assertion will pass
|
It seems this behavior is quite intentional as if I remove the check these tests fail:
|
I'd note that all of those tests are for joining, not equality. So, maybe something should be tweaked here, but I'm not too clear on what. |
Basically, we can't normalise the path upfront if it's relative, as it needs to evaluate that relative part once joined to a base URL. Possibly, we should be normalising the paths of relative URLs on equality check though? The RFC seems to suggest to me that equality of relative references is not relevant... |
I think that would be ok but not sure if thats a breaking change or not.... |
Except for the cases where untrusted input is fed to |
Please confirm the following
vulnerability, to the best of my knowledge. (These must be shared by
submitting this report form instead, if
any hesitation exists.)
Describe the bug
Looking at the WHATWG example for URL equality, the URLs
web+demo:/.//not-a-host/
andweb+demo:/path/..//not-a-host/
should be considered equal after URL serialization. When parsing those URLs using ada, they are indeed serialized identically.To Reproduce
Using yarl 1.12.1, run
Expected behavior
Both URLs should be serialized as described in the WHATWG specification, i.e. the serialized result should be
web+demo:/.//not-a-host/
in both cases.Logs/tracebacks
Python Version
Python 3.12.6
multidict Version
yarl Version
OS
Linux
Additional context
No response
The text was updated successfully, but these errors were encountered: