Open Bug 1538374 Opened 7 months ago Updated 3 months ago

decimal IP addresses combined with usernames should trigger search

Categories

(Core :: Document Navigation, defect, P3)

66 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: richard.strand, Unassigned)

Details

Attachments

(1 file)

Attached image Firefox DoD wtf.png

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0

Steps to reproduce:

I was trying to search for a virus named Win32.Adposhel.BS@487219106 and typed it in the adress bar.

Entering any string that is random.stuff@randomstring reproduces the issues at hand.

Entering a string that is random.stuff@something between 1 to 10 characters produces an URL suggestion of an ip adress that changes at every character input, while typing 11 characters after the @-sign displays the string youre typing.

Actual results:

You'll get a Random ip suggestion if you write random.string@1-10 characters, and if you write 11 characters after the @-sign it changes from a suggestion of random.string@seemingly.random.ip.adress to random.string@the.11.character.string

Typing in Win32.Adposhel.BS@487219106 (and also several other random strings for some reason) leads you to an ip adress in the DoD range.

I got directed to several random ip adresses including ip adresses that starts with 0.0.. and Fort Motors, and the Department of Defence using different random strings.

Also see the screenshots from my findings that i uploaded to: https://imgur.com/a/JKIswrf

Appearantly i can only provide One screenshot using this form.

Also, if my english is bad its because im a non native speaker and im really tired so ill wrap this up now.

Wrote about the issue on https://support.mozilla.org/en-US/questions/1253987

Expected results:

Whichever search engine i have chosen to use should have searched for the string i put in the adress bar.

(moving to docshell because that's where URI fixup lives still, atm)

This is a result of the decimal representation of IP addresses. See https://superuser.com/questions/736583/strange-dotless-decimal-notation-of-ip-address-how-does-it-work , bug 67730, bug 1063010.

Group: firefox-core-security
Component: Untriaged → Document Navigation
Product: Firefox → Core
Summary: Parsing error in URL String? → decimal IP addresses combined with usernames should trigger search

Sorry about the Security tag.

I was unsure on if this could somehow be a threat, or if it was a simple bug.

(In reply to aldous huxley from comment #2)

Sorry about the Security tag.

I was unsure on if this could somehow be a threat, or if it was a simple bug.

No worries, better safe than sorry. :-)

Over to Boris to see decide the priority and maybe also a recommendation for who can work on this.

Flags: needinfo?(bzbarsky)

Well, do we want to do something here separate from bug 67730? Seems to me that if we support this notation at all chances are people are getting that from "somewhere" (because no one is going to start off by typing in a decimal IP by hand) and then it might well include a username to go with it too, so if we forced it to search they would not have any way to load that URL. That's an OK behavior, but we should just do it across the board for decimal IPs, imo.

I'd say it's pretty low-priority, but I'm biased because I also think people should be using a separate search box, not the url bar, to search...

Flags: needinfo?(bzbarsky)
Priority: -- → P3

fyi, you can force a search in the urlbar by prepending (or appending) a question mark

You need to log in before you can comment on or make changes to this bug.