Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

Bug URL reserved characters in Addressable Group Name result in invalid HTTP requests

Discussion in 'Addressables' started by Moritz5thPlanet, Sep 12, 2021.

  1. Moritz5thPlanet

    Moritz5thPlanet

    Joined:
    Feb 5, 2019
    Posts:
    73
    If you name an Addressable group something like "Episodes 1 & 2 Data" (a perfectly legal Group and Asset name), the Addressables system will fire off illegal HTTPS requests (if remote paths are used) because the Addressables system doesn't escape these URLs :eek:

    (this leads to "400 - Bad Request" in most cases, e.g. on Unity Cloud Content Delivery)

    You can also have Scenes etc. with such names and their bundle names will also contain illegal characters that need to be escaped as well, basically anything in Addressables that generates a bundle or catalog needs to have its names sanitized in the generated URLs used for the requests.


    I am not a security expert but in addition to this being a very frustrating bug (because changing just the names will not result in updated asset hashes - good luck getting that garbage out of your caches everywhere) - I believe it can be used to forge near-arbitrary requests with the certificates/entitlements of the application by attackers modifying their locally cached catalogs or by replacing the remote ones through a proxy.

    Please sanitize those URLs - at least at build time.
     
    Last edited: Sep 12, 2021
  2. TreyK-47

    TreyK-47

    Unity Technologies

    Joined:
    Oct 22, 2019
    Posts:
    1,816
    Thygrrr likes this.