validation of port numbers too weak in address bar; multiple examples

RESOLVED EXPIRED

Status

RESOLVED EXPIRED
16 years ago
9 years ago

People

(Reporter: reuben, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021212
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3a) Gecko/20021212

When entering a URL in the address bar for Mozilla 1.2.1 and 1.3.1, the port
portion of the hostport is not strictly validated.

Other browsers make :80 optional and also are forgiving of leading zeroes. 
Mozilla is *much* more liberal.

Numeric forms
=============
http://mozilla.org:80/ ok, same as MSIE6, Netscape4.76
http://mozilla.org:0080/ ok, same
http://mozilla.org:80.00/ MSIE6 doesn't support; Mozilla does
http://mozilla.org:80.05/ works in Mozilla!
http://mozilla.org:8E1/ neither MSIE6 nor Netscape4.76 support this; Mozilla does
http://mozilla.org:80E0/ neither MSIE6 nor Netscape4.76 support this; Mozilla does

Strings
=======
http://mozilla.org:hi-mom-80/ works ok, only in Mozilla
http://mozilla.org:hi-mom/ works ok, only in Mozilla
http://mozilla.org:0x50/ expected hex50=80, or error - instead treats as ":50"
http://207.200.81.215:microsoft.com/ maps to mozilla.org not MSFT; possible expr
for use in social engr hack ??

Illegal numbers
===============

For port numbers outside the legal range 0-65536, I would expect to receive an
error.  Instead, Mozilla wraps the number back into a 16-bit number.  Example:

http://www.xav.com:80/env.pl ok

http://www.xav.com:65616/env.pl ( = 65536 + 80) works, but shouldn't

http://www.xav.com:655440/env.pl ( = 10 * 65536 + 80 ) works, but shouldn't

Note that in these cases, Mozilla is not just internally mapping the port number
to 80 and then transmitting HTTP_HOST of www.xav.com:80 -- Mozilla actually
sends the HTTP_HOST value of www.xav.com:65616 and www.xav.com:655440.

Significance:
=============

Per rfc2396, the port portion has data type "*digit".  As such, I would expect
the mixed text-digit expressions like mom80 to fail, and the fractional
expressions like 80.05 to fail.  All else being equal, it is also best to
conform to behavior of other popular user agents.

For those writing URL filtering applications, it is helpful to have the
http://host:port/ portion be expressible in only one way, or to have a limited
number of variants (i.e., dns name vs. ip-numeric vs. ip-octal vs. :80 or not,
etc.).  Because Mozilla will accept almost anything, it becomes more difficult
for URL filter apps to rewrite URL's into their base form, and it is more
difficult to separate valid from invalid URL's.

The ability to express URL's in different ways is a feature that is exploited by
bad guys and has little utility to good guys.

Reproducible: Always

Steps to Reproduce:
1. (as above)
2.
3.
Seen in Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7a) Gecko/20040219
Severity: trivial → normal
Keywords: qawanted
OS: Windows 2000 → All

Comment 2

15 years ago
I can reproduce this with Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6)
Gecko/20040302 Firefox/0.8 and Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
rv:1.7a) Gecko/20040307 . Moving to confirmed.
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 3

14 years ago
-> default

The illegal numbers are straight-out bad. They should be rejected. As for the
other examples, I agree they are invalid, but am unsure what should happen
(error message?)

I've written a strict port validator in JS, but haven't looked a location bar to
see where the URL parser sends it to necko.
Assignee: hewitt → location-bar
Depends on: 268619
Keywords: qawanted
QA Contact: claudius
Hardware: PC → All
Product: Core → SeaMonkey

Comment 4

9 years ago
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614
Status: NEW → UNCONFIRMED

Comment 5

9 years ago
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614

Comment 6

9 years ago
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but has been without a comment since the inception of the SeaMonkey project. This means that it was logged against the old Mozilla suite and we cannot determine that it's still valid for the current SeaMonkey suite. Because of this, we are setting it to an UNCONFIRMED state.

If you can confirm that this report still applies to current SeaMonkey 2.x nightly builds, please set it back to the NEW state along with a comment on how you reproduced it on what Build ID, or if it's an enhancement request, why it's still worth implementing and in what way.
If you can confirm that the report doesn't apply to current SeaMonkey 2.x nightly builds, please set it to the appropriate RESOLVED state (WORKSFORME, INVALID, WONTFIX, or similar).
If no action happens within the next few months, we move this bug report to an EXPIRED state.

Query tag for this change: mass-UNCONFIRM-20090614

Comment 7

9 years ago
MASS-CHANGE:
This bug report is registered in the SeaMonkey product, but still has no comment since the inception of the SeaMonkey project 5 years ago.

Because of this, we're resolving the bug as EXPIRED.

If you still can reproduce the bug on SeaMonkey 2 or otherwise think it's still valid, please REOPEN it and if it is a platform or toolkit issue, move it to the according component.

Query tag for this change: EXPIRED-20100420
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → EXPIRED
You need to log in before you can comment on or make changes to this bug.