Fx3 thinks valid urls are invalid

NEW
Unassigned

Status

()

Firefox
General
10 years ago
10 years ago

People

(Reporter: Tom Aratyn, Unassigned)

Tracking

3.0 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(5 attachments)

(Reporter)

Description

10 years ago
When I go to the above URL by typing it in, clicking on a link, setting it as the src of a xul:browser element (either in xul or via js) I get a popup saying that this is not a valid URL. However Fx still gets the page and displays it.

What's more if you get a page using a channel it won't cause a problem:

var ioserv = Components.classes["@mozilla.org/network/io-
service;1"] .getService(Components.interfaces.nsIIOService);
        var channel = ioserv.newChannel("http://192.168.123.100:591/
classic.php?yname=+%3CMETA+HTTP-EQUIV%3D%22refresh%22+CONTENT%3D%220%3B
+URL%3Dhttp%3A%2F%2F%3BURL%3Djavascript%3Adocument.vulnerable%3Dtrue%3B
%22%3E+", 0, null);
        var stream = channel.open();
        var sis = Components.classes["@mozilla.org/
scriptableinputstream;
1"].createInstance(Components.interfaces.nsIScriptableInputStream);
        sis.init(stream);
        alert(sis.read(sis.available())); 

It seems like the SUMO troubleshooters have heard of this problem and say it's related to cookies and cache. This seems likely as when cookies and cache are deleted the problem goes away. However, this is NOT a solution for addon developers seeking to use the Fx api for their addons (it currently affects my addons which are hosted on AMO) and blocks Fx3 updates. 

This problem was mentioned on mozilla.dev.extensions news group but didn't get much traction :(.
(Reporter)

Comment 1

10 years ago
Originally detected on 

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
(Reporter)

Comment 2

10 years ago
Also confirmed on a nightly:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.2pre) Gecko/2008070305 GranParadiso/3.0.2pre

Comment 4

10 years ago
I can't load the page at all, since it's part of your local network.  So I can't confirm this bug.

> I get a popup saying
> that this is not a valid URL. However Fx still gets the page and displays it.

Sounds like some element *in the page* contains an invalid URL, rather than Firefox thinking the page itself has an invalid URL.
(Reporter)

Comment 5

10 years ago
Hi Jesse,

Just replace the IP address with localhost or something. The issue is not with the ip address but the the GET data that is (probably) screwing something up :(.

classic.php just does some simple echoing of $_GET['name'] and bit of simple html. No links nor any fanciness of any kind (not even a style sheet much less JS).

Comment 6

10 years ago
Works fine for me.  I get an error page "Firefox can't establish a connection to the server at localhost:591." and nothing weird.

Does the bug depend on the meta refresh being echoed?
(Reporter)

Comment 7

10 years ago
Hi Jesse, 

Sorry I disappeared for a while. BTW, I want to confirm that this is still happening on Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1. 

(In reply to comment #6)
> Works fine for me.  I get an error page "Firefox can't establish a connection
> to the server at localhost:591." and nothing weird.

I'll post my "classic.php" so you can run it on your server and test it.

> 
> Does the bug depend on the meta refresh being echoed?
> 

Frankly, I'm not sure what this depends on. I guess it depends on the meta refresh but it also doesn't get triggered every time. Any ideas about what I can do to test this?

(Reporter)

Comment 8

10 years ago
Created attachment 334350 [details]
a simple php script that echos "myname"
(Reporter)

Updated

10 years ago
Attachment #334350 - Attachment mime type: application/octet-stream → text/plain

Comment 9

10 years ago
Created attachment 334389 [details]
relevant HTML output from the PHP script

The <meta refresh> URL is malformed.  Safari says the same thing.  Why do you think this is a bug in Firefox?
(Reporter)

Comment 10

10 years ago
H(In reply to comment #9)
> Created an attachment (id=334389) [details]
> relevant HTML output from the PHP script
> 
> The <meta refresh> URL is malformed.  Safari says the same thing.  Why do you
> think this is a bug in Firefox?
> 

Hi Jesse,

First of all, thanks for the help! I really appreciate it.

I treated this as a bug because this behavior changed from Fx2 to Fx3. In Fx2 there were no problems.

Can you give me a clue about the inconsistent behavior? THAT should be a bug, shouldn't it?

Comment 11

10 years ago
I get the same behavior with Firefox 2.0.0.16 and Firefox trunk -- loading the "relevant HTML output from the PHP script" file causes a dialog saying "The URL is not valid and cannot be loaded".
(Reporter)

Comment 12

10 years ago
I get that popup sometimes when running the extension. And I don't think I ever hit it with Fx2.

The extension in question is https://addons.mozilla.org/en-US/firefox/addon/7598. I've run it through wireshark and the attack is definitely going through but the popup only shows up sometimes (and I've never seen it in Fx2). Can you confirm that this is or isn't happening for you?
(Reporter)

Comment 13

10 years ago
Created attachment 337934 [details]
This set of strings triggers the attack
(Reporter)

Comment 14

10 years ago
Created attachment 337935 [details]
This set of strings does NOT trigger the bug.
(Reporter)

Comment 15

10 years ago
Created attachment 337937 [details]
An fx3 compatible version which triggers the bug.
(Reporter)

Comment 16

10 years ago
I've attached two xml exports of strings that do and do not trigger the bug as well as a copy of the extension.

Steps to reproduce:

1. install the extension & restart
2. download the set of strings that triggers the bug (attachment 337934 [details])
3. go to tools->xss me->options
4. click on the xss strings tab
5. select all the strings currently in the system.
6. click remove
7. click import
8. find the downloaded string set (attachment 337934 [details])
9. go to your install of the simple php xss page (attachment 334350 [details])
10. open the side bar (using either context menu or tools menu)
11. click the run all tests button
12. download the set of strings that does not trigger the bug (attachment 338935 [details] [diff] [review])
13. repeat steps 3-7
14. find the downloaded string set (attachment 337935 [details])
15. repeat steps 9-11

Expected results:
Either for popups to popup for both cases or for neither

Actual results:
I get popups for one case (attachment 337934 [details]) but not the other (337935)
You need to log in before you can comment on or make changes to this bug.