Skip Navigation

When URL parsers disagree (CVE-2023-38633)

www.canva.dev When URL parsers disagree (CVE-2023-38633) - Canva Engineering Blog

Discovery and walkthrough of CVE-2023-38633 in librsvg, when two URL parser implementations (Rust and Glib) disagree on file scheme parsing leading to path traversal.

When URL parsers disagree (CVE-2023-38633) - Canva Engineering Blog
3
TechNews @radiation.party irradiated @radiation.party
BOT
[HN] When URL parsers disagree (CVE-2023-38633, librsvg)
3 comments
  • @snaggen I think the better lesson than "don't mix URI parses" here is "don't LBYL, rely on EAFP". Many "Look before you leap" (LBYL) schemes are subject to variations of time-of-check/time-of-use errors. It's preferable to not sanitize input, but tell the processor what the policy on processing is; when it comes to a violation, it's easier to ask forgiving (i.e. report the error) than permission (EAFP).