[INVALID] Anti-XSS Protection Regex for google unsafe

[alh]

The Regex in the Anti-XSS Protection for google:

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?

Allows for matches against domains that aren't owned by google. For example, the Anti-XSS protection doesn't work for the following example hostnames:
* http://www.google.pzt.com/?
* https://www.google.lol.com/custom?

As long as you have http://<subdomain>.google.<3 character domain>.<com net org etc>/? the match will work.

Not a huge issue, but not ideal.

[Giorgio Maone]

Thanks for the warning, but this is covered internally: if that regexp matches, a further test is done against the hostname ensure that the terminal part after ".google." is actually a TLD.

[alh]

In my limited testing I haven't seen this to be the case.

How would the internals even be aware that what comes after google. is a valid TLD as long as the hostname overall is a valid hostname?

google.pzt.com is a valid hostname as far as syntax goes...

[Giorgio Maone]

google.pzt.com is a valid hostname as far as syntax goes...

But ptz.com is not a valid TLD.

[GµårÐïåñ]

To simplify, what he means is that if what comes RIGHT AFTER google is not a valid TLD, then it would fail it. So doesn't matter what type of valid hostname you put in there, if it manages to somehow satisfy the regex, then it will be nailed by failing the domain test, if it ain't google.com google.TLD then it would not satisfy that and its moot. Get it now?