Closed
Bug 337721
Opened 19 years ago
Closed 17 years ago
[1.8.0]Escaped hostnames defeat possible-phishing detection
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: dveditz, Unassigned)
References
Details
(Whiteboard: [sg:low spoof] fixed in ff2 and later)
"Hackena" (h4ck-3n4) reports that we correctly bring up the "possible spoofing" confirm dialog for
http://www.google.com@www.yahoo.fr/
but if the host name is escaped we load yahoo.fr with nary a peep
http://www.google.com@%77%77%77%2E%79%61%68%6F%6F%2E%66%72/
|
Reporter | |
Updated•19 years ago
|
Flags: blocking1.9a2+
Flags: blocking1.8.1+
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
Whiteboard: [sg:low spoof]
|
||
Comment 1•19 years ago
|
||
Hrm... this doesn't make any sense. We don't unescape hex in the hostname, and we have checks to prevent sending hex escaped hostnames to the DNS resolver _and_ to proxy servers. What version of Firefox is being tested?
Perhaps we do not bring up the "possible spoofing" confirm dialog because we did not get past the "looks like a bad hostname" checks.
|
||
Comment 2•19 years ago
|
||
yeah, we just show an error page for that URL, don't we?
|
|
Reporter | |
Comment 3•19 years ago
|
||
(In reply to comment #2)
> yeah, we just show an error page for that URL, don't we?
Interesting, indeed we do in ff2, but not in the current released ff1.5.0.x. Would it be worth figuring out what fixes got added on the 1.8 branch and putting them in the next 1.5.0.x?
Group: security
Status: NEW → RESOLVED
Closed: 19 years ago
Flags: blocking1.9a2+
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Resolution: --- → FIXED
Whiteboard: [sg:low spoof] → [sg:low spoof] fixed in ff2 and later
|
|
Reporter | |
Comment 4•19 years ago
|
||
IE, Opera, and our old versions (ff1.0 and 1.5, Moz Suite forever) are perfectly happy loading the escaped URL http://%77%77%77%2e%79%61%68%6f%6f%2e%66%72/
Isn't Firefox 2 likely to break things by rejecting it?
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 5•19 years ago
|
||
Dan, I'm confused because I thought we failed to unescape %-encoded hostnames in all versions of Mozilla since... well... for a long time.
On the 1.8.0 branch (and elsewhere):
http://lxr.mozilla.org/mozilla1.8.0/source/netwerk/base/src/nsURLHelper.cpp#896
I'm curious who is performing the unescaping.
|
|
||
Comment 6•19 years ago
|
||
See also bug 304904 !
|
|
Reporter | |
Comment 7•19 years ago
|
||
(In reply to comment #6)
> See also bug 304904 !
especially bug 304904 comment 9 which explains we're violating rfc 3986 by rejecting these (bug 309671). (%-escaped hosts are implied by the earlier rfc 2396 but left out of the explicit syntax for hosts. rfc 3986 corrects this)
So this will come back as a problem when bug 309671 is fixed.
|
|
Reporter | |
Comment 8•19 years ago
|
||
*** Bug 339816 has been marked as a duplicate of this bug. ***
|
|
||
Comment 9•19 years ago
|
||
Minusing for 1.8.0.5, but we can reconsider for the next release once we figure out what we're going to do with bug 309671.
Flags: blocking1.8.0.5? → blocking1.8.0.5-
|
|
||
Comment 10•18 years ago
|
||
-> reassign to default owner
Assignee: darin.moz → nobody
Status: REOPENED → NEW
QA Contact: darin.moz → networking.http
|
|
Reporter | |
Updated•17 years ago
|
Summary: Escaped hostnames defeat possible-phishing detection → [1.8.0 branch]Escaped hostnames defeat possible-phishing detection
|
|
Reporter | |
Updated•17 years ago
|
Summary: [1.8.0 branch]Escaped hostnames defeat possible-phishing detection → [1.8.0]Escaped hostnames defeat possible-phishing detection
|
|
Reporter | |
Comment 11•17 years ago
|
||
This is fixed in later versions so we're closing it "WFM", but it still exists on the named branch. The future bugzilla "sightings" feature would help here.
Status: NEW → RESOLVED
Closed: 19 years ago → 17 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•