search

VernissageApp / VernissageServer

Application which is main API component for Vernissage photos sharing platform.
https://vernissage.photos
Apache License 2.0
9 stars 0 forks source link

IDNs are not handled correctly #56

Open mgrzeca opened 4 months ago

mgrzeca commented 4 months ago

It's impossible to find a user whose user handle has an IDN as the domain part. Below is an example and a log excerpt:

Zrzut ekranu 2024-04-19 o 13 02 14 
vernissage-api  | [ INFO ] GET /api/v1/search [request-id: B056B3FE-F30C-4817-83FF-223CC9EDA788]
vernissage-api  | [ NOTICE ] Base url cannot be parsed from user query: 'north@ꩰ.com'. [request-id: B056B3FE-F30C-4817-83FF-223CC9EDA788]

You can find such a user by manually converting the user handle to Punycode. However, in this case, the displayed name is incorrect (Punycode instead of IDN):

Zrzut ekranu 2024-04-19 o 13 02 38
mgrzeca commented 4 months ago

Yeah, I know IDNs are cancer and a potential security threat due to homograph attacks, but they've been around for a while and they're here to stay, so they should be handled properly.