Closed Bug 1151195 Opened 10 years ago Closed 2 years ago

a.href a.port URL parser integer/long

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dzulla, Unassigned)

Details

(Keywords: sec-audit, sec-vector)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36 Firefox for Android Steps to reproduce: var a = document.createElement("a"); a.href = "https://www.mozilla.org:65536"; console.log(a.port); // Firefox: 65536; Chrome: 0 a.href = "https://www.mozilla.org:10000000000"; console.log(a.port); // Firefox: 1410065408; Chrome: 0 Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities Actual results: var a = document.createElement("a"); a.href = "https://www.mozilla.org:65536"; console.log(a.port); // Firefox: 65536; Chrome: 0 a.href = "https://www.mozilla.org:10000000000"; console.log(a.port); // Firefox: 1410065408; Chrome: 0 Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities Expected results: var a = document.createElement("a"); a.href = "https://www.mozilla.org:65536"; console.log(a.port); // Firefox: 65536; Chrome: 0 a.href = "https://www.mozilla.org:10000000000"; console.log(a.port); // Firefox: 1410065408; Chrome: 0 Long rather than unsigned int? Potential attack vector; combined with other vulnerabilities
Keywords: sec-audit, sec-vector
OS: Mac OS X → All
Hardware: x86 → All
Component: Untriaged → HTML: Parser
Product: Firefox → Core
Version: unspecified → Trunk
Severity: normal → S3

All the examples in comment 0 throw if passed to new URL, and return "" from the link element, in both Firefox and Chrome. Gonna resolve WFM.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.