Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Complete ice server url validation #2996

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Complete ice server url validation #2996

wants to merge 4 commits into from

Conversation

dontcallmedom
Copy link
Member

@dontcallmedom dontcallmedom commented Sep 3, 2024
edited by pr-preview bot
Loading

close #2912

Preview | Diff

@dontcallmedom dontcallmedom mentioned this pull request Sep 3, 2024
Open
@dontcallmedom
Copy link
Member Author

(the CI error is because we don't have tests for this; as noted in #2950 this is only a continuation of the lack of test for this change; see also #2997)

@dontcallmedom
Copy link
Member Author

as discussed in #2997 (comment), reusing the application/x-www-form-urlencoded parser means making ?&transport=udp parsable; an alternative would be to instead do the split on = ourselves (rather than invoking the URL algorithm), limiting the set of acceptable query strings to ?transport=udp and ?transport=tcp (which would align better at least with the libwebrtc implementation). happy to change the PR in that direction if that's the preferred path.

@jan-ivar
Copy link
Member

jan-ivar commented Sep 3, 2024

... reusing the application/x-www-form-urlencoded parser means making ?&transport=udp parsable

Less custom URL parsing seems in line with being "consistent with how we treat URLs elsewhere in the platform.". #2660 (comment)

an alternative would be to instead do the split on = ourselves (rather than invoking the URL algorithm), limiting the set of acceptable query strings to ?transport=udp and ?transport=tcp

OTOH, if this simple string compare lets us keep this in REC, why not do that for now, and add application/x-www-form-urlencoded back in later?

That seems a reasonable way to increment here to me.

@jan-ivar
Copy link
Member

jan-ivar commented Sep 3, 2024
edited
Loading

Are there any URLs that would reveal differences in parsing of the first part of the url (ahead of the ?) ?

dontcallmedom added a commit that referenced this pull request Sep 4, 2024
@dontcallmedom
Use simple string comparison for query string
fb9a1b0 
and forbid query string on stun/stuns
see #2996 (comment)
@dontcallmedom
Copy link
Member Author

I've switched to using a simple string comparison; I'm not sure using application/x-www-form-urlencoded parsing buys us much when it is not clear the RFC means it that way.

@dontcallmedom
Use simple string comparison for query string
7601b0d 
and forbid query string on stun/stuns
see #2996 (comment)
@jan-ivar
Copy link
Member

jan-ivar commented Sep 4, 2024

Yeah that algorithm supports multiple query parameters whereas our RFC does not, so it's arguably odd to support & at all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix ICE server URL querystring validation
2 participants
@dontcallmedom @jan-ivar