Hi Rowan
> If I've got a URL, which is already a string, what code would I write to > "do some checks" on it, outside of a unit test? > That's just an example with an old version of PHP, but let's say you have some code that makes requests but only to a specific list of servers, so you want to analyze the URL and check if the host is in a whitelist. If the provided URL is "http://127.0.0.1:11211#@google.com:80/"; and that you used PHP <= 7.0.13 your parse_url function would tell you that the domain you're trying to request is google.com so everything is fine, but in fact when the call to curl is made, curl would call 127.0.0.1. This one was fixed but the problem could still occur if the parser is not the same as the one used in the requester. > > If I'm using CurlUrl to "add/delete/overwrite some parts" how is that > not "using it alone as a representation of an URL"? > > What I meant here was that if you're not using curl, you have no advantage of using this class alone to parse since the requester you're using could handle the URL differently. > If I'm writing a PSR-7 object, am I only supposed to use CurlUrl when > interfacing with curl, and generate the string myself for other > purposes? If the implementation I come up with differs from curl's, how > does the user know which is the "real" URL? > > You can use CurlUrl within your implementation of UriInterface but for the same reason if you're using another request engine than curl, you may have the same security problem where curl will not parse the same data. If you want to make sure that your CurlUrl object represents the same thing as your UriInterface you could build the CurlUrl object part by part using your UriInterface. When you assign your CurlUrl to your CurlHandle with the CURLOPT_CURLU option, curl will use the parts directly instead of parsing the URL again, so you're sure that the host will be the one you set with `CurlUrl::setHost()` and so on. Pierrick [1] https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
