Jim Manico @ AllAroundTheWorld · Mar 31, 2023 · 9:57 PM UTC

Jim Manico @ AllAroundTheWorld

Jim Manico @ AllAroundTheWorld @manicode

Mar 31

How do you safely do this? HTTPS://site.com/data/ + protect(untrusted); URL encoding is not the answer, it still allows path traversal. Base64 encoding is not the answer, the + and / characters, legal in base64, can skew a URL.

Aaron Parecki · Mar 31, 2023 · 10:48 PM UTC

Aaron Parecki · Mar 31, 2023 · 10:48 PM UTC

Aaron Parecki @aaronpk

Mar 31

Replying to @manicode

what kind of protection? A JWT could work there, it uses only URL safe characters, and is integrity protected. If you don't need integrity protection then just URL safe Base64 I guess

Mar 31, 2023 · 10:48 PM UTC

Jim Manico @ AllAroundTheWorld · Mar 31, 2023 · 10:50 PM UTC

Jim Manico @ AllAroundTheWorld @manicode

Mar 31

Replying to @aaronpk

SafeBase64 protects against path traversal or path manipulation where urlencoding and normal Base64 do not!

Aaron Parecki · Mar 31, 2023 · 11:00 PM UTC

Aaron Parecki @aaronpk

Mar 31

Ultimately the question is where does the untrusted data come from and how is it used, because URL-safe-base64-encoding a "../" will just decode to "../" on the other side.

more replies