Closed Bug 339816 Opened 19 years ago Closed 19 years ago

URL with hex-encoded hostname and user/pass doesn't trigger warning

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 337721

People

(Reporter: peterv, Unassigned)

References

(
URL
)

Details

Bug 232567 added a warning when loading a URL that contains HTTP authentication information that's unnecessary. The warning can easily be circumvented by hex-encoding the hostname. I'm seeing this in 1.5.0.3 but not in BonEcho (which gives a "Server not found" error page instead). Testcase: Try loading http://www.microsoft.com@%77%77%77%2E%6D%6F%7A%69%6C%6C%61%2E%6F%72%67 and compare with loading http://www.microsoft.com@www.mozilla.org I'm filing this as a security bug because the warning added in bug 232567 was added to prevent URL spoofing. NOTE: I'm not the original reporter of this bug. I'm filing it for akena666@hotmail.com who is French and doesn't speak English. Don't credit me as the reporter.
*** This bug has been marked as a duplicate of 337721 ***
Group: security
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.