URI fixup alternate URI fixup causes confusion
Categories
(Firefox :: Address Bar, defect, P3)
Tracking
()
People
(Reporter: dezhuangkong, Unassigned)
References
Details
(Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Steps to reproduce:
Enter in the browser address bar:
(1):aaa\www.bbb.com
(2):aaa/www.bbb.com
(3):aaa?www.bbb.com
(4):aaa#www.bbb.com
(5):aaa/ccc/www.bbb.com
Actual results:
aaa is automatically resolved to www.aaa.com
so:
(1)aaa\www.bbb.com => www.aaa.com/www.bbb.com
(2)aaa/www.bbb.com => www.aaa.com/www.bbb.com
(3)aaa?www.bbb.com => www.aaa.com/?www.bbb.com
(4)aaa#www.bbb.com => www.aaa.com/#www.bbb.com
(5):aaa/ccc/www.bbb.com = > www.aaa.com/ccc/www.bbb.com
Attackers can use this feature to launch url jump attacks.
Expected results:
I experimented with Chrome, IE, Edge, and Safari. None of them have such problems. I don't think that non-compliant URLs should be automatically parsed and filled. Doing so will cause potential security issues.
I have submitted it through the bug channel once, without using Client Bug Bounty Form, the link is https://bugzilla.mozilla.org/show_bug.cgi?id=1605970
Comment 2•4 years ago
|
||
This isn't a vulnerability; if you're managing to convince the user to input these strings in the URL bar you could just as well convince them to put in the ".com" bit yourself, which if you need them to visit that site would be sufficient.
Marco, I suspect we should just mark this invalid. For people who expect this to work this way, I don't see a way to break this behaviour without also breaking their usecases. It's a very old feature - if we had data that people didn't use this, I guess we could decide to get rid of it altogether, but I have no idea how we'd get such data. Equally, comment #0 is correct about 1 thing - I don't think any other browser does anything comparable, so perhaps its time has come in terms of fixup options?
Comment 3•4 years ago
•
|
||
This is related, or maybe a dupe, to bug 1566499.
I think long term we should consider those urls only if "aaa" is whitelisted, and bug 1566499 will likely do that (https://bugzilla.mozilla.org/show_bug.cgi?id=1566499#c4)
Updated•4 years ago
|
Comment 7•4 years ago
|
||
This is not a security bug eligible for the bug bounty.
Comment 8•4 years ago
|
||
All the cases now execute a search, as expected.
Description
•