Open notmandatory opened 3 weeks ago
IMO we should take this as a chance to take a hatchet to the massive dependency tree of the "normal" rust ecosystem HTTP clients (eg reqwest) and replace them all with minreq or whatever.
We should discuss this tomorrow.
Describe the bug
The
url
crate thatreqwest
uses silently converts international domain names (IDNs). This makes BDK vulnerable to URL homograph attacks.Blockchain clients that BDK uses should prevent URL homograph attacks by disallowing URLs with IDNs and not silently converting them.
To Reproduce
Use an IDN in a URL with the
bdk_esplora
blockchain client, it is silently converted to a valid domain name. This should also be tested with thebdk_electrum
and any other blockchain data clients that accept user provided URLs.Expected behavior
The
bdk_esplora
and any other BDK blockchain clients should return an error if an IDN is used in a URL.Build environment
Additional context
From discord chat with @bluematt: