gopher.zcrayfish.soy

       ----------------------------------------
       hURLs come back to bite.
       February 09th, 2024
       ----------------------------------------
       
       I have recently noticed on literally every gopher server which I have
       looked at does some funky stuff with HTML/XML/XHTML page which they
       generate for hURL support... I expect to be able to write a URL raw into
       a gophermap and have it just work, but, in practice, there are some
       major issues...
       
       Take this working example URL that contains the quotation mark character
       (tabs have been replaced with pipes):
       h|Amazing URL yay|URL:https://radar.zcrayfish.soy/"uhoh".html|
       gopher.zcrayfish.soy|70
       
       The problem, the quotation mark character destroys the anchor on the
       generated page... Now, RFC1738 says "All unsafe characters must always
       be encoded within a URL", and it specifically includes the quotation
       mark character as an example of one which is sometimes unsafe.
       
       Alternatively, for folks not seeking compliance with the URL RFCs, HTML
       entities can be used for the reserved characters which are causing
       issues.
       
       In addition to breaking some legitimate URLs, this is a security issue
       which allows arbitrary code insertion, including XSS attacks. For POC
       point curl against any gopher server with a hURL and just add the
       following to the end of your URL:
       "><script%20type="text/javascript">alert("I%20am%20an%20alert%20box!");
       </script>
       
       For the servers that generate the hURL page in HTML, anyone who tries to
       render it with javascript enabled is absolutely going to get a popup.
       
       The good news: When a gopher server serves the hURL page as XML+XHTML
       Strict, browsers that render the page as XML might not run the
       javascript because the XML is malformed. So yeah, fuck using HTML 3.2
       for that page.
       ----------------------------------------
 (DIR) Back to phlog index
 (DIR) gopher.zcrayfish.soy gopher root
       200 folks realized that hURL reinventing the wheel over type w was a very
       bad idea.
 (QRY) Comments are enabled for this post, select here to leave yours
       Comments have been left on this post:
       
       This is fixed in geomyidae.
       Posted Sat Feb 10 11:36:08 UTC 2024 by p508932fb.dip0.t-ipconnect.de.
       ------------------------------------------------------------------------
       The security side of this is fixed in the most recent versions of
       bucktooth and geomyidae. Breaking change though because folks who were
       using the reserved characters in their gophermap hURL entries will have
       to change them somehow.  Not a hypothetical.
       Posted Tue Feb 20 15:19:27 UTC 2024 by zcrayfish
       ------------------------------------------------------------------------