Tuesday, January 1, 2008

Avoiding URI comparison security bugs in windows APIs

This post is directly related to some work I'm going to be doing so I was happy to stumble across it in my feed reader. 

Bottom line:  Use IUri::IsEqual. 

Future extra credit:  use Reflector to find out what .Net methods for URI comparison there are and if they marshal to the good or bad methods mentioned here...

IEBlog : URI Comparison Functions
Investigating URI parsing related issues in various products, I’ve run across many instances of code erroneously attempting to compare two URIs for equality. In some cases the author writes their own comparison and seems to be unaware of URI semantics and in other cases the author delegates to a Windows provided function that doesn’t quite work for the author’s scenario. In this blog post I’ll describe some of the unmanaged URI comparison functions available to Win32 developers, and a few common mistakes to avoid.

No comments:

Post a Comment