Closed Bug 1825179 Opened 3 years ago Closed 2 years ago

Some canonicalization should still apply to query string

Categories

(Toolkit :: Safe Browsing, defect, P2)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox111 --- wontfix
firefox112 --- wontfix
firefox113 --- wontfix
firefox114 --- wontfix
firefox124 --- wontfix
firefox125 --- wontfix
firefox126 --- fixed

People

(Reporter: hectorz, Assigned: hsohaney)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1825179 - Added canonicalization to query parameters for Google Safe Browsing. r?timhuang
48 bytes, text/x-phabricator-request
Details | Review

Hi, we're looking at some other URLs in our safe browsing list but not blocked in Fx, and I think there's a client side bug from the previous fix.

In https://developers.google.com/safe-browsing/v4/urls-hashing?hl=en#canonicalization, when talking about "Do not apply these path canonicalizations to the query parameters" I think it's only referring to the two slash related ones above the sentence, while the "percent-unescape" above and "percent-escape" below that part should still apply.

While the fix in https://hg.mozilla.org/mozilla-central/rev/2e19e69edfcb means the query string will be returned by GetKeyForURI w/o going through any of that.

As an example, while both https://wiki.mozilla.org/index.php?title=MozillaWiki:Help&action=history and https://wiki.mozilla.org/index.php?title=MozillaWiki%3AHelp&action=history can reach the same page,

» let urlUtils = Cc["@mozilla.org/url-classifier/utils;1"].getService(Ci.nsIUrlClassifierUtils);
← <XPCWrappedNative_NoHelper ...>
» urlUtils.getKeyForURI(Services.io.newURI("https://wiki.mozilla.org/index.php?title=MozillaWiki:Help&action=history"))
← "wiki.mozilla.org/index.php?title=MozillaWiki:Help&action=history"
» urlUtils.getKeyForURI(Services.io.newURI("https://wiki.mozilla.org/index.php?title=MozillaWiki%3AHelp&action=history"))
← "wiki.mozilla.org/index.php?title=MozillaWiki%3AHelp&action=history"

Set release status flags based on info from the regressing bug 1676804

:dimi, since you are the author of the regressor, bug 1676804, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

status-firefox111: --- → affected
status-firefox112: --- → affected
status-firefox113: --- → affected
status-firefox-esr102: --- → affected
Flags: needinfo?(dlee)
Assignee: nobody → dlee
Severity: -- → S3
Flags: needinfo?(dlee)
Priority: -- → P2

Set release status flags based on info from the regressing bug 1676804

status-firefox114: --- → affected
Assignee: dlee → nobody
Assignee: nobody → hsohaney

Could you clarify the example case the reporter was mentioning. It reads incomplete right now, am I missing something?

Flags: needinfo?(dlee)

From discussion with :timhuang, the query parameters currently are not being canonicalized as per the algorithm in https://developers.google.com/safe-browsing/v4/urls-hashing?hl=en#canonicalization

Flags: needinfo?(dlee)
Pushed by hsohaney@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/28b4eaeb7028 Added canonicalization to query parameters for Google Safe Browsing. r=timhuang

https://hg.mozilla.org/mozilla-central/rev/28b4eaeb7028

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: