456673 - Location bar should notice to user if URI is too long

Status: RESOLVED INACTIVE

Description

[Masahiro YAMADA]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

Locationbar does notice to user whenever URI is overflowed (too long to show).
And, location bar decodes %20 as " " (I believe decoding %20 as " "  is correct behavior).
So, attacker can use too many %20 to spoof URI.


Reproducible: Always

Steps to Reproduce:
Naviagte to malformed URI that caontains
too many % encoded spaces (%20) and other characters.
For example:
http://example.com/a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20b

Actual Results:  
Location bar wills show it as "http://example.com/a                                                                                              b"
And If location bar does not have enough width, there is no method to tell "There is overflowed text" to user. So, user will recognize its address as "http://example.com/a".

Expected Results:  
Some UI is needed. But I don't know what is best.

This is already known in community of security.
It may not needed to set Security flag.

Comment 1

[Daniel Veditz [:dveditz]]

Does it decode %20 for you? It might in the status-bar on mouseover but should not in the location bar itself.

This can't be used to spoof the hostname, is the path really all that meaningful? You can hide an extension, but there are lots of ways to do that.

Comment 2

[Masahiro YAMADA]

I think , decoding %20 as space is not wrong
And, I agree this can'be used to spoof hostname (it is reason why I marked this bug as "normal", not "major").

It is needed to notify to user overflowed string exists on location bar.
Status bar uses intl.ellipsis when URI is too long to show,
but, location bar does nothing.

Comment 3

[John P Baker]

See also bug 403277

Comment 4

[:Gavin Sharp [email: gavin@gavinsharp.com]]

(In reply to comment #1)
> Does it decode %20 for you? It might in the status-bar on mouseover but should
> not in the location bar itself.

We intentionally decode %20 to " " (see bug 416144).

Comment 5

[Tyler Downer [:Tyler]]

Reporter, are you still seeing this issue with Firefox 3.6.10 or later in safe mode or a fresh profile? If not, please close. These links can help you in your testing.
http://support.mozilla.com/kb/Safe+Mode
http://support.mozilla.com/kb/Managing+profiles

Comment 6

[Masahiro YAMADA]

Still reproduced on 3.6.10 and 4.0b7pre (build from http://hg.mozilla.org/mozilla-central/rev/10a6b2c105ae )

Comment 7

[Tyler Downer [:Tyler]]

No reply from reporter, INCOMPLETE. Please retest with Firefox 3.6.12 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.

Comment 8

[Yuan Wang(:Yuan) – Mobile Firefox Design Lead]

Please retest with the latest Firefox. If this problem still happen, you may comment below to reopen it.
Delete uiwanted for now.

Comment 9

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.