Closed
Bug 166616
Opened 22 years ago
Closed 22 years ago
% decoding problem causes violation of same-origin policy
Categories
(Core :: Networking, defect)
Tracking
()
VERIFIED
INVALID
People
(Reporter: cvaida, Unassigned)
References
()
Details
(Whiteboard: DUPEME)
Overview Description: Recently Liu Die Yu discovered an % encoding problem in Internet Explorer. And I quote him beneath. Just by curiosity I entered the URL in Mozilla rv:1.1b Gecko/20020826 build and the problem seems to be just the same as in Internet Explorer case. The % decoding is faulty (i guess:) Step to reproduce: Check this : http://www.yahoo.com%2f@www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-demo.htm Actual Results: The domain for Mozilla is the one entered before %2f and the actual page loaded is the one after %2f, which could mislead users to trust in pages not really coming from the domain. Expected Results: The domain for Mozilla to be the one entered before %2f and the page loaded to be the same as the domain before %2f. Build Date & Platform: Mozilla rv:1.1b Gecko/20020826 on Win32 Additional Builds and Platforms: Not tested. Additional Information: Here is the securityfocus.com advisory of Liu Die Yu: " it's about cross-site scripting at MSIEv6 client side using % encoding, but not the same as the one by PeaceFire.org which doesn't work on my PC. [tested]MSIEv6(CN version) {IEXPLORE.EXE file version: 6.0.2600.0000} {MSHTML.DLL file version: 6.00.2600.0000} [demo] at http://www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-MyPage.htm or clik.to/liudieyu ==> 2FforMSIE-MyPage section. [exp] %?? in URL is decoded when IE caculates the domain, but not decoded while downloading a page. so [CODE.URL]http://www.yahoo.com%2F@clik.to/liudieyu ( 2F=hex$(asc('/')) ) leads to clik.to/liudieyu instead of www.yahoo.com, and the domain of it www.yahoo.com for IE Very simple, that's all. [contact] liudieyuinchina@yahoo.com.cn "
|
||
Comment 1•22 years ago
|
||
This url is parsed as follows, which is absolutly correct: scheme:http username: www.yahoo.com%2f password: host:www16.brinkster.com port: directory: /liudieyu/2FforMSIE/ filebase name: 2FforMSIE-demo fileextension: htm param: query: ref: The correct page is loaded. The domain should also be what follows @.
|
|
||
Comment 2•22 years ago
|
||
Why do you think the domain in mozilla is www.yahoo.com?
|
|
||
Comment 3•22 years ago
|
||
The example on http://www.yahoo.com%2f@www16.brinkster.com/liudieyu/2FforMSIE/2FforMSIE-demo.htm uses a IE special function to show which domain is currently used. No way to see if the correct domain is used.
|
||
Comment 4•22 years ago
|
||
I've set up a testcase at: http://www.yahoo.com%2f@web.mit.edu/bzbarsky/www/testcases/security/username-in-domain.html Mozilla passes with flying colors: Error: uncaught exception: Permission denied to get property HTMLDocument.innerText We already have a bug on the confusing nature of such urls, no?
Whiteboard: DUPEME
|
|
||
Comment 5•22 years ago
|
||
Thanks Boris! I don't know, haven't seen it or can't remember. However there is no way to helpout here. This is the way urls are, as defined by RFC 2396 and others. My guess is that will not change because some people are unable to read such urls and get confused in the process. Recommend: INVALID!
|
||
Comment 6•22 years ago
|
||
see bug 122445.
|
|
||
Comment 7•22 years ago
|
||
reporter: Since there is no violation of the same-origin policy here in mozilla and there is already a bug about the decieving nature of such urls I would mark this bug invalid. Another option would be to change the summary and make it a dupe of bug 122445. Thanks for you effort.
|
|
||
Comment 8•22 years ago
|
||
Yep. Issue does not exist as reported.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
|
||
Comment 10•22 years ago
|
||
Catching up. Reopen if you disagree. Marking Verified!
Status: RESOLVED → VERIFIED
QA Contact: benc → jimmylee
You need to log in
before you can comment on or make changes to this bug.
Description
•