Closed Bug 1042347 Opened 10 years ago Closed 8 years ago

%2e entered in URL bar not normalized leading to denormalized request

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
30 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX
Milestone:
mozilla47

People

(Reporter: mikesamuel, Assigned: CuveeHsu)

References

(Blocks 1 open bug)

Details

(Whiteboard: [necko-backlog])

Attachments

(1 file)

MozReview Request: Bug 1042347 - %2e entered in URL bar not normalized leading to denormalized request r?mcmanus
58 bytes, text/x-review-board-request
mcmanus
: review+
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 Steps to reproduce: 1. I started a local server in bash to log request paths. """ $ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... """ 2. I started Firefox (30.0 for Mac OS). 3. I entered "http://127.0.0.1/%2e" in the URL bar. (U+2e is '.'. See ASCII equivalence in spec sections quoted below) 4. I switched back to my shell and hit enter to create a break in the log 5. I entered "http://127.0.0.1/." in the URL bar. Actual results: I saw in the console running SimpleHttpServer: """ 127.0.0.1 - - [22/Jul/2014 17:26:56] "GET /%2e HTTP/1.1" 301 - 127.0.0.1 - - [22/Jul/2014 17:26:56] "GET / HTTP/1.1" 200 - [some favicon related requests elided] 127.0.0.1 - - [22/Jul/2014 17:26:56] "GET / HTTP/1.1" 200 - """ Expected results: I was surprised by the "GET /%2e". I believe the correct result should be a single request of "GET /" for both URLs like """ 127.0.0.1 - - [22/Jul/2014 17:26:56] "GET / HTTP/1.1" 200 - [some favicon related requests elided] 127.0.0.1 - - [22/Jul/2014 17:26:56] "GET / HTTP/1.1" 200 - """ ---- Since paths are used to decide which cookies to send, doing as much normalization on the path component before sending it reduces the attack surface of web applications. Perhaps some normalization step ignores encoded dots. I have not tried to see if I can trick Firefox into sending cookies for a more specific path instead of ones for a more general path based on encoded dot segments. Since cookie paths are not widely used and this would probably require socially engineering a user, I consider this low potential risk. ---- RFC 3986 says """ URIs that differ in the replacement of an unreserved character with its corresponding percent-encoded US-ASCII octet are equivalent """ and "." is an unreserved character. So "http://127.0.0.1:8000/" is equivalent, post path normalization, to "http://127.0.0.1:8000/." which is equivalent to "http:/127.0.0.1:8000/". RFC 3986 says """ The path segments "." and "..", also known as dot-segments, are defined for relative reference within the path name hierarchy. However, unlike in a file system, these dot-segments are only interpreted within the URI path hierarchy and are removed as part of the resolution process (Section 5.2). """ RFC 7230 (HTTP Request Syntax) suggests that the GET request path is syntactically an absolute-path and is not required to be an absolute&resolved path, but it seems odd to skip dot segment resolution when a dot is encoded.
The URLs I entered had port 8000 in them, so steps 3 and 5 should have "http://127.0.0.1:8000/%2e" and "http://127.0.0.1:8000/." instead of "http://127.0.0.1/%2e" and "http://127.0.0.1/."
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking
Ever confirmed: true
OS: Mac OS X → All
Product: Firefox → Core
Hardware: x86 → All
It does seem that http://example.com/%2e isn't properly normalized, but http://example.com/%2e/ is. Thanks for the bug report!
Assignee: nobody → valentin.gosu
Anne, I have a web-compat question here. If I'm reading the spec correctly, only %2e and %2e%2e (and variants) are to be decoded and replaced with the dot equivalents. However all browsers seem to transform %2e into . whenever it occurs in the path. So /%2eX -> /.X I'd like to argue that this is how it should be, since for the server to serve /%2eX I need to navigate to /%252eX instead. Any thoughts on this matter?
Blocks: url
Flags: needinfo?(annevk)
You found a bug: https://github.com/whatwg/url/issues/new (I could have sworn I tested this since I too thought it was weird, must have messed something up).
Flags: needinfo?(annevk)
(In reply to Anne (:annevk) from comment #5) > You found a bug: https://github.com/whatwg/url/issues/new (I could have > sworn I tested this since I too thought it was weird, must have messed > something up). https://github.com/whatwg/url/issues/77
Comment on attachment 8716254 [details] MozReview Request: Bug 1042347 - %2e entered in URL bar not normalized leading to denormalized request r?mcmanus https://reviewboard.mozilla.org/r/33753/#review30453 basically reviewed the cpp.. you should get annevk to look at the rest too
Attachment #8716254 - Flags: review?(mcmanus) → review+
Comment on attachment 8716254 [details] MozReview Request: Bug 1042347 - %2e entered in URL bar not normalized leading to denormalized request r?mcmanus Requesting review for the tests, according to comment 11.
Attachment #8716254 - Flags: review?(annevk)
Attachment #8716254 - Flags: review?(annevk)
Comment on attachment 8716254 [details] MozReview Request: Bug 1042347 - %2e entered in URL bar not normalized leading to denormalized request r?mcmanus https://reviewboard.mozilla.org/r/33753/#review30837 The changes to web-platform-tests seem fine (less failures) and the new tests seem okay. I would have liked us to add new tests to web-platform-tests instead, but I guess this is okay for now. Not sure what the policy on that is. It might make sense to also test URLs such as http://example.com/%2e. (and with trailing slash, etc.) to see whether that doesn't do anything funny.
https://hg.mozilla.org/integration/mozilla-inbound/rev/f3925f5ffdbb817dde22283952c06a645160bb96 Bug 1042347 - %2e entered in URL bar not normalized leading to denormalized request r=mcmanus
https://hg.mozilla.org/mozilla-central/rev/f3925f5ffdbb
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Status: RESOLVED → VERIFIED
Reopening since this got backed out a while ago.
Status: VERIFIED → REOPENED
status-firefox47: fixed → ---
Resolution: FIXED → ---
Whiteboard: [necko-active]
Assignee: valentin.gosu → juhsu
Whiteboard: [necko-active] → [necko-next]
Whiteboard: [necko-next] → [necko-backlog]
So https://github.com/whatwg/url/issues/77 got reverted just like the patch in this bug. Shall we close this?
Guess so. Thanks!
Status: REOPENED → RESOLVED
Closed: 9 years ago8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: