Closed
Bug 127870
Opened 24 years ago
Closed 23 years ago
URL: "@" in password treated as delimiter in <userinfo>@<host>:<port>
Categories
(Core :: Networking, defect, P3)
Core
Networking
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: petter.sundlof, Assigned: andreas.otte)
References
()
Details
(Keywords: testcase, Whiteboard: checkmac)
Attachments
(1 file, 2 obsolete files)
|
1.33 KB,
patch
|
dougt
:
review+
darin.moz
:
superreview+
dbaron
:
approval+
|
Details | Diff | Splinter Review |
Mozilla 0.9.8:
Try to load ftp://anonymous:bla@bla.com@findus.dhs.org/
Mozilla says Alert: "bla.com@findus.dhs.org could not be found. Please check the
name and try again".
I am sure this is a duplicate, but I couldn't find it in Query (Bugzilla badly
needs an improved Query... how to improve it I do not know :/)
|
||
Comment 1•24 years ago
|
||
The url is invalid, the "@" in the password needs to be escaped as %40
|
||
Comment 2•24 years ago
|
||
I agree :
-> invalid
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 3•24 years ago
|
||
Apparently according to some person it is a valid FTP RFC URL.
Anyhow, Netscape 4 handles it.
How is Mozilla going to handle sending e-mail addresses as URLs? If it is
possible to set it in the preferences as FTP password, the users probably thinks
the client can handle it in the URL field, as well.
If I type in ftp://anonymous:bla%40bla.com@findus.dhs.org/, the index page shows:
ftp://anonymous:bla@bla.com@findus.dhs.org/
Very confusing -- what if I want to copy and paste that address?
This is ugly.
|
|
||
Comment 4•24 years ago
|
||
CC andreas.otte@debitel.net : He should know if this URL is valid...
|
|
Assignee | |
Comment 5•24 years ago
|
||
This is a nasty problem. To not confuse the urlparser a username/password should
not contain a @, it has to be escaped, because in the urlsyntax it delimits
username/password from the host.
And the title in the index page should not unescape it, at least that's my
opinion. I remember there is a pref somewhere inside mozilla to control it
inside mail/news, allow or not allow @ inside username/password.
However there is no such thing for ftp or http urls. If we send the email
address as password to the ftp server we do it inside the ftp protocol.
But I will take a look at the urlparser if it is possible to be better ...
reopening for now
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
|
Assignee | |
Comment 6•24 years ago
|
||
assigning to me
Assignee: new-network-bugs → andreas.otte
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Assignee | |
Comment 7•24 years ago
|
||
rfc 2396 says:
URL schemes that involve the direct use of an IP-based protocol to a
specified server on the Internet use a common syntax for the server
component of the URI's scheme-specific data:
<userinfo>@<host>:<port>
where <userinfo> may consist of a user name and, optionally, scheme-
specific information about how to gain authorization to access the
server. The parts "<userinfo>@" and ":<port>" may be omitted.
server = [ [ userinfo "@" ] hostport ]
The user information, if present, is followed by a commercial at-sign
"@".
userinfo = *( unreserved | escaped |
";" | ":" | "&" | "=" | "+" | "$" | "," )
@ is not part of unreserved or escaped ... so technically mozilla does nothing
wrong when parsing the url. However since the hostname also does not include a @
(I hope that is still true for iDNS) it might be possible to go after the
rightmost @ in the authority component.
|
|
Assignee | |
Comment 8•24 years ago
|
||
With this patch we look for the last @ in the authority section not the first
one to delimit userinfo from host. Doing so is not necessary according to RFC
2396, but this will fixup urls that have not escaped the @ inside username
and/or password. The escape of @ inside username/password however still
happens.
|
|
Assignee | |
Updated•24 years ago
|
Status: NEW → ASSIGNED
OS: Linux → All
Priority: -- → P3
Hardware: PC → All
Target Milestone: --- → mozilla1.0
|
|
||
Comment 9•24 years ago
|
||
be careful.. what if authLen is zero? i think nsURLParsers really needs a
reverse memchr impl, but that can wait.
|
|
Assignee | |
Comment 10•24 years ago
|
||
Hmmmm ... valid point, revised version coming ...
|
|
Assignee | |
Comment 11•24 years ago
|
||
bail out with NS_ERROR_MALFORMED_URI if authLen == 0, after all we are in the
AuthURLParser!
Attachment #71728 -
Attachment is obsolete: true
|
|
||
Comment 12•24 years ago
|
||
i wouldn't say that's necessarily an error. imagine an protocol in which the
authority is optional. not that i can think of such an example off the top of
my head, but whatever. seems like you should just do this instead:
if (authLen == 0) {
SET_RESULT(username, 0, -1);
SET_RESULT(password, 0, -1);
SET_RESULT(hostname, 0, 0);
if (port)
*port = -1;
return NS_OK;
}
looks like ParseServerInfo needs a similar check :-(
|
|
||
Comment 13•24 years ago
|
||
fwiw: this is what nsBaseURLParser::ParseAuthority does when it gets an empty
string.
|
|
Assignee | |
Comment 14•24 years ago
|
||
Hmmm ... in the old urlparser world the AuthParser expected to find an
authority, that's what that parser was for. The current one does something
similar ... in a way. If it gets fed with http:///path which looks like a http
url without a host it just ignores the third slash and uses path as host. Kind
of enforcing a host :)
Anyway, your suggestion is surely more consistent with the current
implementation, next version coming up including check in ParseServerInfo.
|
|
Assignee | |
Comment 15•24 years ago
|
||
Attachment #71741 -
Attachment is obsolete: true
|
|
||
Comment 16•24 years ago
|
||
Comment on attachment 71755 [details] [diff] [review]
revised version, now simply set segments to 0, also includes check for ParseServerInfo
sr=darin
andreas: the point is that anyone could instantiate a URL parser, and
ParseAuthority is a public method.
Attachment #71755 -
Flags: superreview+
|
||
Comment 17•23 years ago
|
||
Comment on attachment 71755 [details] [diff] [review]
revised version, now simply set segments to 0, also includes check for ParseServerInfo
r=dougt
Attachment #71755 -
Flags: review+
Comment on attachment 71755 [details] [diff] [review]
revised version, now simply set segments to 0, also includes check for ParseServerInfo
a=dbaron for trunk checkin
Attachment #71755 -
Flags: approval+
|
|
Assignee | |
Comment 19•23 years ago
|
||
fix checked in on trunk
Status: ASSIGNED → RESOLVED
Closed: 24 years ago → 23 years ago
Resolution: --- → FIXED
|
|
||
Comment 20•23 years ago
|
||
quick extension of summary... if someone has something more meaningful, please
change this...
|
|
||
Comment 21•23 years ago
|
||
So what is the effect of the fix? Is it to always use the last "@"?
What is the fate of the previous "@"'s?
At first I thought you had implemented something else, so I did a packet trace
of a FTP (HTTP proxy) request to see if that was wrong, and I found that the
ftp URL is escaped before sending to the proxy server.
reporter: can you confirm if this works for you now? also, can you tell us if
that ULR is supposed to work (or just not give the DNS error anymore?)
Summary: Mozilla thinks it should contact bla.com@findus.dhs.org → URL: "@" in password treated as delimiter in <userinfo>@<host>:<port>
|
|
Assignee | |
Comment 22•23 years ago
|
||
We always go for the last unescaped @ in the authority section as delimiter
between host and username/password. Other @ are part of the username and/or
password.
Although we do this now @ is still not allowed in usernames and passwords by RFC
2396, so it gets escaped as it should be.
|
|
Reporter | |
Comment 23•23 years ago
|
||
Yes, this seems to work now.
|
|
||
Comment 24•23 years ago
|
||
VERIFIED: mozilla 1.1, Win98.
It's going into the ftp testcases, so I'll open if it doesn't work for linux|macOSX.
You need to log in
before you can comment on or make changes to this bug.
Description
•