Closed Bug 377052 Opened 17 years ago Closed 8 years ago

nsBaseURLParser::ParseURL doesn't handle spaces embedded in the spec proprely

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla47
Tracking Flags:
Tracking Status
firefox47 --- fixed

People

(Reporter: brettw, Assigned: valentin)

Details

(Whiteboard: [necko-backlog])

Attachments

(1 file)

nsBaseURLParser::ParseURL doesn't handle spaces embedded in the scheme properly
1.56 KB, patch
mcmanus
: review+
Details | Diff | Splinter Review 
97     for (p = spec; len && *p && !colon && !slash; ++p, --len) {
 98         // skip leading whitespace and control characters
 99         if (*p > '\0' && *p <= ' ') {
100             spec++;
101             specLen--;
102             continue;
103         }
            ...

When nsBaseURLParser::ParseURL finds a space in the input, it shifts the input over by one byte. This correctly handles leading spaces on URL specs. However, this case still runs if there are spaces in the middle of the spec, or trailing spaces. In these other cases, it still shifts the start of the string over, corrupting the spec.

This could conceivably be a security problem because by adding spaces to the middle of a URL, I can cause the parser to ignore characters at the beginning of the string, potentially making the domain name parse to something else. If the spec is given to another component that parses the URL differently, they will see different domain names, opening cross-site scripting attacks.

This should not be a security problem in practice because all code because everybody uses this same parser and the results are canonicalized after that, which should permanently remove any of the characters at the beginning that were skipped.
valentin - what do you think the current state of this is?
Flags: needinfo?(valentin.gosu)
Whiteboard: [necko-backlog]
The comment is correct. That loop actually only runs for the scheme. And since a scheme can't be matched if it contains spaces, we never actually hit this corner case. But I think it's worth fixing.
Attachment #8714290 - Flags: review?(mcmanus)
Assignee: nobody → valentin.gosu
Status: NEW → ASSIGNED
Attachment #8714290 - Flags: review?(mcmanus) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/4e60a3ad8b3948dc40e04ac9e77a8dadc34b6717
Bug 377052 - nsBaseURLParser::ParseURL doesn't handle spaces embedded in the scheme properly r=mcmanus
https://hg.mozilla.org/mozilla-central/rev/4e60a3ad8b39
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox47: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla47
Flags: needinfo?(valentin.gosu)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: