Closed
Bug 1151195
Opened 9 years ago
Closed 7 months ago
a.href a.port URL parser integer/long
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dzulla, Unassigned)
Details
(Keywords: sec-audit, sec-vector)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36
Firefox for Android
Steps to reproduce:
var a = document.createElement("a");
a.href = "https://www.mozilla.org:65536";
console.log(a.port); // Firefox: 65536; Chrome: 0
a.href = "https://www.mozilla.org:10000000000";
console.log(a.port); // Firefox: 1410065408; Chrome: 0
Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities
Actual results:
var a = document.createElement("a");
a.href = "https://www.mozilla.org:65536";
console.log(a.port); // Firefox: 65536; Chrome: 0
a.href = "https://www.mozilla.org:10000000000";
console.log(a.port); // Firefox: 1410065408; Chrome: 0
Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities
Expected results:
var a = document.createElement("a");
a.href = "https://www.mozilla.org:65536";
console.log(a.port); // Firefox: 65536; Chrome: 0
a.href = "https://www.mozilla.org:10000000000";
console.log(a.port); // Firefox: 1410065408; Chrome: 0
Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities
|
Reporter | |
Updated•9 years ago
|
Component: Untriaged → HTML: Parser
Product: Firefox → Core
Version: unspecified → Trunk
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 1•7 months ago
|
||
All the examples in comment 0 throw if passed to new URL, and return "" from the link element, in both Firefox and Chrome. Gonna resolve WFM.
Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•