Monday, November 5th, 2007
It is nice to see a post on IEBlog that isn’t about ES4 ;) Dave Risney provides just that as he details the perils of comparing URIs, a common cause for security exploits and errors in general.
Investigating URI parsing related issues in various products, Iâ€™ve run across many instances of code erroneously attempting to compare two URIs for equality. In some cases the author writes their own comparison and seems to be unaware of URI semantics and in other cases the author delegates to a Windows provided function that doesnâ€™t quite work for the authorâ€™s scenario. In this blog post Iâ€™ll describe some of the unmanaged URI comparison functions available to Win32 developers, and a few common mistakes to avoid.
The latest URI RFC 3986 does an excellent job of describing a ladder of URI comparisons. The range on the ladder trades off comparison speed for number of false negatives. False negative in this case means that the URI comparison function says two URIs are not equivalent when they are. However, nowhere on the ladder will a comparison generate a false positive. That is, a URI comparison function should never incorrectly report that two URIs are equivalent.
To summarize, IUri::IsEqual is a good Scheme-Based Normalization URI comparison function, UrlCompare and CoInternetCompareUrl should be avoided for fear of security bugs, and with no better choices a simple case sensitive string comparison will suffice.
Posted by Dion Almaer at 7:30 am