Location bar should notice to user if URI is too long




10 years ago
7 months ago


(Reporter: masa141421356, Unassigned)


Firefox Tracking Flags

(Not tracked)




10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv: Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv: Gecko/2008070208 Firefox/3.0.1

Locationbar does notice to user whenever URI is overflowed (too long to show).
And, location bar decodes %20 as " " (I believe decoding %20 as " "  is correct behavior).
So, attacker can use too many %20 to spoof URI.

Reproducible: Always

Steps to Reproduce:
Naviagte to malformed URI that caontains
too many % encoded spaces (%20) and other characters.
For example:

Actual Results:  
Location bar wills show it as "http://example.com/a                                                                                              b"
And If location bar does not have enough width, there is no method to tell "There is overflowed text" to user. So, user will recognize its address as "http://example.com/a".

Expected Results:  
Some UI is needed. But I don't know what is best.

This is already known in community of security.
It may not needed to set Security flag.


10 years ago
Keywords: uiwanted
Does it decode %20 for you? It might in the status-bar on mouseover but should not in the location bar itself.

This can't be used to spoof the hostname, is the path really all that meaningful? You can hide an extension, but there are lots of ways to do that.
Group: core-security

Comment 2

10 years ago
I think , decoding %20 as space is not wrong
And, I agree this can'be used to spoof hostname (it is reason why I marked this bug as "normal", not "major").

It is needed to notify to user overflowed string exists on location bar.
Status bar uses intl.ellipsis when URI is too long to show,
but, location bar does nothing.

Comment 3

10 years ago
See also bug 403277
Depends on: 403277
(In reply to comment #1)
> Does it decode %20 for you? It might in the status-bar on mouseover but should
> not in the location bar itself.

We intentionally decode %20 to " " (see bug 416144).
Reporter, are you still seeing this issue with Firefox 3.6.10 or later in safe mode or a fresh profile? If not, please close. These links can help you in your testing.
Whiteboard: [CLOSEME 2010-11-01]

Comment 6

8 years ago
Still reproduced on 3.6.10 and 4.0b7pre (build from http://hg.mozilla.org/mozilla-central/rev/10a6b2c105ae )
No reply from reporter, INCOMPLETE. Please retest with Firefox 3.6.12 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
Resolution: INCOMPLETE → ---
Whiteboard: [CLOSEME 2010-11-01]
Ever confirmed: true
Please retest with the latest Firefox. If this problem still happen, you may comment below to reopen it.
Delete uiwanted for now.

Comment 9

7 months ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Last Resolved: 8 years ago7 months ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.