Closed
Bug 1151195
Opened 9 years ago
Closed 7 months ago
a.href a.port URL parser integer/long
Categories
(Core :: DOM: HTML Parser, defect)
Core
DOM: HTML Parser
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dzulla, Unassigned)
Details
(Keywords: sec-audit, sec-vector)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 Firefox for Android Steps to reproduce: var a = document.createElement("a"); a.href = "https://www.mozilla.org:65536"; console.log(a.port); // Firefox: 65536; Chrome: 0 a.href = "https://www.mozilla.org:10000000000"; console.log(a.port); // Firefox: 1410065408; Chrome: 0 Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities Actual results: var a = document.createElement("a"); a.href = "https://www.mozilla.org:65536"; console.log(a.port); // Firefox: 65536; Chrome: 0 a.href = "https://www.mozilla.org:10000000000"; console.log(a.port); // Firefox: 1410065408; Chrome: 0 Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities Expected results: var a = document.createElement("a"); a.href = "https://www.mozilla.org:65536"; console.log(a.port); // Firefox: 65536; Chrome: 0 a.href = "https://www.mozilla.org:10000000000"; console.log(a.port); // Firefox: 1410065408; Chrome: 0 Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities
Reporter | ||
Updated•9 years ago
|
Component: Untriaged → HTML: Parser
Product: Firefox → Core
Version: unspecified → Trunk
Updated•2 years ago
|
Severity: normal → S3
Comment 1•7 months ago
|
||
All the examples in comment 0 throw if passed to new URL
, and return ""
from the link element, in both Firefox and Chrome. Gonna resolve WFM.
Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•