InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

URIPatternList.parse mishandles * in domain

https://forums.informaction.com/viewtopic.php?t=80

Page 1 of 1

URIPatternList.parse mishandles * in domain

Posted: Mon Mar 23, 2009 1:16 am
by mattmccutchen
IIUC, the following line of noscriptService.js is responsible for * in force-HTTPS glob patterns:

Code: Select all

return '^' + p.replace(/^([^\/:]+:\/*)\*/, "$1[^/]*").replace(/\*/g, '.*?');
The first replacement appears to make the * in *.mattmccutchen.net not match slashes. But this doesn't work, because its output is affected by the second replacement. E.g., with *.mattmccutchen.net in the force-HTTPS list, http://a/.mattmccutchen.net is forced to HTTPS. Reversing the order of the replacements should fix the problem.

Re: URIPatternList.parse mishandles * in domain

Posted: Mon Mar 23, 2009 8:40 am
by Giorgio Maone
Ouch!
Reversing the order of the replacements should fix the problem.
It's not enough, actually.
Changed into

Code: Select all

return '^' + p.replace(/\*/g, '.*?').replace(/^([^\/:]+:\/*)\.\*/, "$1[^/]*");
(notice the extra dot being elided).
Fixed in latest development build, thanks.

Re: URIPatternList.parse mishandles * in domain

Posted: Thu Apr 09, 2009 7:41 am
by GµårÐïåñ
I had missed this, wow such a subtle but incredible difference. Sweet.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited