Closed Bug 288732 Opened 20 years ago Closed 20 years ago

Malformed URL cause FireFox to have strange behavior and crash

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: verificator, Assigned: dveditz)

References

Details

(Keywords: crash, Whiteboard: [sg:needinfo])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.6) Gecko/20050318 Firefox/1.0.2

Hi !

I discovered this *security* bug while browsing a commercial website. 
When you type | caracters in your URL, this cause FireFox to open for each one a
new tab ( if FF configured to open new links in tabs ). This rapidly cause FF to
take all CPU time, and crash, turning XP in a instable state...

Well, very strange, and very easy to use for anyone :-/


Try this kind of link:

http://www.rueducommerce.fr/Mobilite-Telephonie/Ordinateurs-portables/Tous-nos-portables/HP/4376-Portable-Compaq-NX9105-Sempron-2800.htm?pl=4376|4679|4274|4281|4325|4374|4650|4640|4335|4412|4224|4143|4545|4685|4671|4531|4305|4629|4320|4270|4585|4218|4248|4595|4556|4183|4187|4666|4160|4681|4159|4554|4549|4164|4306|4702|4558|4643|4703|4116|4647|4642|4277|4588|4271|4504|3958|4524|4323|4555|4251|4566|4542|4530|4197|4239|4586|4648|4557|4673|4547|4559|4649|4684|4503|4693|4674|4695|4644|4200|4543|4407|4485|4641|4539|4540|4541

and enjoy the power of tabs !


Regards
Julien


 

 



Reproducible: Always

Steps to Reproduce:
1. type a malformed URL like :
http://www.rueducommerce.fr/Mobilite-Telephonie/Ordinateurs-portables/Tous-nos-portables/HP/4376-Portable-Compaq-NX9105-Sempron-2800.htm?pl=4376|4679|4274|4281|4325|4374|4650|4640|4335|4412|4224|4143|4545|4685|4671|4531|4305|4629|4320|4270|4585|4218|4248|4595|4556|4183|4187|4666|4160|4681|4159|4554|4549|4164|4306|4702|4558|4643|4703|4116|4647|4642|4277|4588|4271|4504|3958|4524|4323|4555|4251|4566|4542|4530|4197|4239|4586|4648|4557|4673|4547|4559|4649|4684|4503|4693|4674|4695|4644|4200|4543|4407|4485|4641|4539|4540|4541

or

http://www.google.com?pl=4376|4679|4274|4281|4325|4374|4650|4640|4335|4412|4224|4143|4545|4685|4671|4531|4305|4629|4320|4270|4585|4218|4248|4595|4556|4183|4187|4666|4160|4681|4159|4554|4549|4164|4306|4702|4558|4643|4703|4116|4647|4642|4277|4588|4271|4504|3958|4524|4323|4555|4251|4566|4542|4530|4197|4239|4586|4648|4557|4673|4547|4559|4649|4684|4503|4693|4674|4695|4644|4200|4543|4407|4485|4641|4539|4540|4541
Actual Results:  
It cause FF to open a tab for each '|' found in the URL, and crash rapidly. XP
crash sometimes too.

Expected Results:  
FF should have done nothing special with this URL, except opening the page normaly
Blocks: sbb?
Whiteboard: [sg:needinfo]
I cannot reproduce this, and '|' is not a special character Firefox would parse
in a URL. Do you have any extensions installed which might be doing this? Does
it still happen if you run in "safe mode"?

Denial of Service bugs do not qualify for the Security Bug Bounty.
http://www.mozilla.org/security/bug-bounty-faq.html#dos-bugs
Blocks: sbb-
No longer blocks: sbb?
Group: security
Keywords: crash
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050406
Firefox/1.0+

WFM in latest-trunk, resolving this WFM.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.