Monday, November 5th, 2007
URI Comparison Functions
It is nice to see a post on IEBlog that isn’t about ES4 ;) Dave Risney provides just that as he details the perils of comparing URIs, a common cause for security exploits and errors in general.
Investigating URI parsing related issues in various products, I’ve run across many instances of code erroneously attempting to compare two URIs for equality. In some cases the author writes their own comparison and seems to be unaware of URI semantics and in other cases the author delegates to a Windows provided function that doesn’t quite work for the author’s scenario. In this blog post I’ll describe some of the unmanaged URI comparison functions available to Win32 developers, and a few common mistakes to avoid.
The latest URI RFC 3986 does an excellent job of describing a ladder of URI comparisons. The range on the ladder trades off comparison speed for number of false negatives. False negative in this case means that the URI comparison function says two URIs are not equivalent when they are. However, nowhere on the ladder will a comparison generate a false positive. That is, a URI comparison function should never incorrectly report that two URIs are equivalent.
To summarize, IUri::IsEqual is a good Scheme-Based Normalization URI comparison function, UrlCompare and CoInternetCompareUrl should be avoided for fear of security bugs, and with no better choices a simple case sensitive string comparison will suffice.





Um… in the RSS i got a TON of SPAM links before the main content ;)
Me too, and in another RSS item. Looks like you guys have been hacked.
Yeap me too. seems like the RSS has been hacked.
Have a look at the screen dumps of google reader here: http://www.thoughtballoon.co.uk/blog/articles/2007/11/05/google-reader-or-ajaxian-feed-hacked
Super long URI’s?
Spammage
probably the spam was detected and removed.
but this is interesting.
It wasn’t removed, if you have the web developer toolbar, for example, turn off styles (Ctrl-Shift-S) for those on windows, you’ll still see all the spam.
Spam is still there, just hidden with CSS.
You can see the spam in the source view of this page, too, btw. Do a view source and look for “lauren that Greg Kinnear” to see it… hidden via a styled font tag.
i stopped reading after the 20th spam link ;))
Time to change your password, guys. You’ve been pwn3d by some spammer.
Yep. same on bloglines.
Funky, uh?
kjhkjhkhl kjh k hkjh jk hkh k hkl jh lhkhl lhjhkljhklhjkh
Ajaxian got pwned
SPAM SPAM SPAM SPAM.
Not a fun thing to see in my inbox, hope you guys get it resolved
A problem with all of the spam is also – what else has or can be crammed into this page? What is next? Malicious payloads? Malformed things people think are the dreaded quicktime and it is something different?
As has been noted elsewhere, it would be highly recommended to at least post about what has been done to re-secure things. How it happened etc. would also be good…