Closed Bug 254249 Opened 21 years ago Closed 20 years ago

Malformed/mistyped URL causes browser to scan through history & open random site

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 231720

People

(Reporter: michaelj.johnson, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 Upon pasting a malformed/mistyped link into the addressbar ( http://https//student.santarosa.edu/~jdemello/homework.html ) Firefox v0.9.2 quickly linked to several websites in succession, finally settling on https://www.paypal.com/ and opening it. In IE, the same malformed/mistyped link causes a standard "The page cannot be displayed" page to be displayed. Reproducible: Always Steps to Reproduce: 1. Cut/Paste the following link into the addressbar - DO NOT correct the mistake in the URL 2. http://https//student.santarosa.edu/~jdemello/homework.html 3. Hit enter and watch the activity in the Status Bar Actual Results: The status bar indicated that the browser was accessing several webpages in very quick succession, including http://www.google.com, before settling on https://www.paypal.com/. Expected Results: Displayed some sort of message indicating that the URL that was entered contains errors or is invalid. I have marked this as a security problem because it occurs to me that this simple bug could potentially be used maliciously by a web site owner. about:buildconfig Build platform target i686-pc-cygwin Build tools Compiler Version Compiler flags $(CYGWIN_WRAPPER) cl 12.00.8804 -TC -nologo -W3 -nologo -Gy -Fd$(PDBFILE) $(CYGWIN_WRAPPER) cl 12.00.8804 -TP -nologo -W3 -nologo -Gy -Fd$(PDBFILE) Configure arguments --disable-ldap --disable-mailnews --enable-extensions=cookie,xml-rpc,xmlextras,pref,transformiix,universalchardet,typeaheadfind,webservices,inspector,gnomevfs,negotiateauth --enable-crypto --disable-composer --enable-single-profile --disable-profilesharing --enable-optimize --disable-debug --disable-tests --enable-static --disable-shared --enable-official-branding
This happens because Paypal is the first hit on Google for "https". *** This bug has been marked as a duplicate of 230905 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
hm, this is a dupe, but not of that specific bug.
Whiteboard: DUPEME
Owen, if you're going to add DUPEME, you should reopen too. But why isn't this a dup of that bug?
I looked at 230905 - this bug has completely different behavior. Nothing is changed or added with the URL I type in, it was already a bad URL.
This bug: Entering http://https/ goes to http://www.paypal.com/ via Google IF. Bug 230905: Entering http://test/ goes to http://www.test.com/ by adding www and com. Ok, maybe they're not the same bug.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
I know it is a dupe, though... but I can't find it :/ still looking
*** Bug 263191 has been marked as a duplicate of this bug. ***
*** This bug has been marked as a duplicate of 231720 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago20 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
Verifying old and obvious dupes. Sorry for bugspam.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.