Pasting a JWT into the address bar freezes the browser

RESOLVED DUPLICATE of bug 1495327

Status

()

defect
RESOLVED DUPLICATE of bug 1495327
7 months ago
6 months ago

People

(Reporter: liam, Unassigned)

Tracking

63 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

758 bytes, text/plain
Details
Reporter

Description

7 months ago
Posted file jwt.txt
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0

Steps to reproduce:

Accidentally pasted a JWT into the address bar (see attached file). Reproduced with a fresh profile. (Could not reproduce in Developer Edition - may be fixed in a newer version already?)


Actual results:

Address bar displayed the content of the clipboard, but became completely unresponsive.


Expected results:

Address bar displayed the content of the clipboard, and remained responsive.
Reporter

Comment 1

7 months ago
Browser will eventually become responsive again, after multiple minutes of unresponsiveness.

Comment 2

7 months ago
Encountered the same issue when accidentally pasting a JWT into my URL.
Not all JWT's have the same result, and this seems to depend on the signature part of the token. 

When signing the same token with e.g. HS256 instead of RSA256/512, the browser does not seem to become unresponsive.
When replacing the first character in the signature with a character that is not valid base64 (tested with ", æ, ø, å), the browser does not seem to become unresponsive.

However, it seems like the entire signature is not required. Cutting off part of the signature will still result in the browser becoming unresponsive (have not found the specific amount of characters required).

Attempted to replicate the bug on Firefox for android, but was not able to.

Comment 3

7 months ago
Hi, Thanks for Reporting this issue, I'm trying to reproduce it but without any success, Here are the steps I'm following and you guys can tell me if I'm missing something:

1. Download the attached Jwt.txt file (now I tried it with both .txt as well as .io extension).
2. Opened Firefox 63.0.1, Beta 64.0b7 you can find it here - (https://www.mozilla.org/en-US/firefox/channel/desktop/) and Nightly - (https://nightly.mozilla.org/ )
3. Drag the Jwt file into the browser. I also tried just copy pasting the path from the file in the URL bar, but I still couldnt reproduce this issue.

I tried these steps with all 3 version of Firefox and I couldnt reproduce it, can you guys please check the Latest Firefox Nightly and try to reproduce it there as well, maybe it no longer occurs in later versions.
Flags: needinfo?(liam)

Comment 4

6 months ago
Open the Jwt.txt file, and copy the full contents (eyJhbGciOi....) into the URL bar. This should let you reproduce the issue.

Comment 5

6 months ago
Hi, Thanks for clearing that up, I managed to do a mozregresion to find the Fix, here are the results:

INFO: First good revision: 8da12a6048fba4e59a860386b075f4d9070f79bf
INFO: Last bad revision: 8958a60dd82423a4689837029be94e6d032f6b8c
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=8958a60dd82423a4689837029be94e6d032f6b8c&tochange=8da12a6048fba4e59a860386b075f4d9070f79bf

It seems this issue has been fixed with this Bug 1495327.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 months ago
Flags: needinfo?(liam)
Resolution: --- → DUPLICATE
Duplicate of bug: 1495327
You need to log in before you can comment on or make changes to this bug.