cURL and the IUri Interface


Making a trust decision based on the name of something is rife with error because there are so many ways to name resources, and such comparisons are often subject to canonicalization errors (Howard and LeBlanc 2003). Making a trust decision based on elements of a URI is fraught with risk because there are so many ways to canonicalize URIs. That said, all Web browsers make security decisions based on URIs. The real underlying risk with canonicalization is when more than one piece of code interprets a name differently. This “impedance mismatch” can lead to one unit of code thinking a name is “good” while anther portion of code thinks the name is “bad.” To alleviate this problem, the Internet Explorer 7 team migrated IE itself to use only one canonicalizer and then made that code available for all to use. That code is named the consolidated URL parser or cURL (Microsoft 2006c).

Note 

Although a few exceptions exist for compatibility purposes, cURL is generally aggressive at rejecting URIs that are invalid under the latest standard covering the subject (RFC 3986).

To use cURL in your browser component, you should include <urlmon.h>, link with urlmon.lib, and make sure you have the following line in your code before you load urlmon.h:

 #define_WIN32_IE_WIN32_IE_IE70

The following code shows a basic way to use the cURL interface to create a URI, and break it down into its requisite components.

 int wmain(int argc, wchar_t* argv[]) {     if (argc != 2) {         wprintf(L "Please enter a URL");         return -1;     }     wchar_t *pwszUri = argv[1];     // Create an IUri object from the URI     IUri *pIUri = NULL;     HRESULT hr = CreateUri(                         pwszUri,                         Uri_CREATE_ALLOW_RELATIVE,                         0,                         &pIUri);      if (SUCCEEDED(hr)) {         BSTR bstrSchemeName;         if (SUCCEEDED(pIUri->GetSchemeName(&bstrSchemeName))) {             wprintf(L "Scheme: %s\n",bstrSchemeName);             SysFreeString(bstrSchemeName);         }         BSTR bstrHost = NULL;         if (SUCCEEDED(pIUri->GetHost(&bstrHost))) {            wprintf(L "Host : %s\n",bstrHost);            SysFreeString(bstrHost);         }            DWORD dwPort=0;            if (SUCCEEDED(pIUri->GetPort(&dwPort))) {               wprintf(L "Port : %d\n ",dwPort);         }     }     if (pIUri)        pIUri->Release();     return 0; }

Note also there is a new COM interface named IInternetSecurityManagerEx2 that accepts IUriobjects; use it instead of IInternetSecurityManagerEx and IInternetSecurityManager.

Various URL parsing functions, such as the following are now considered deprecated in favor of cURL if you are using cURL:

  • InternetCrackUrl

  • ParseURL

  • UrlIsOpaque

  • UrlGetPart

  • UrlGetLocation

  • InternetCanonicalizeUrl

  • UrlCanonicalize

  • UrlUnescape

  • UrlEscape

  • InternetCreateUrl

  • CreateURLMoniker

The performance impact of cURL is generally no different from using other canonicalization functions, but fewer function calls and therefore fewer redundant escape operations can lead to performance benefits.

There are potential application compatibility side effects because Internet Explorer 7 uses cURL internally and has much stricter URL parsing; some nonvalid URL sequences that used to work may no longer work in script or browser add-ons.



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net