Location bar should notice to user if URI is too long

RESOLVED INACTIVE

Status

()

RESOLVED INACTIVE
10 years ago
4 months ago

People

(Reporter: masa141421356, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

Locationbar does notice to user whenever URI is overflowed (too long to show).
And, location bar decodes %20 as " " (I believe decoding %20 as " "  is correct behavior).
So, attacker can use too many %20 to spoof URI.


Reproducible: Always

Steps to Reproduce:
Naviagte to malformed URI that caontains
too many % encoded spaces (%20) and other characters.
For example:
http://example.com/a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20b

Actual Results:  
Location bar wills show it as "http://example.com/a                                                                                              b"
And If location bar does not have enough width, there is no method to tell "There is overflowed text" to user. So, user will recognize its address as "http://example.com/a".

Expected Results:  
Some UI is needed. But I don't know what is best.

This is already known in community of security.
It may not needed to set Security flag.
(Reporter)

Updated

10 years ago
Keywords: uiwanted
Does it decode %20 for you? It might in the status-bar on mouseover but should not in the location bar itself.

This can't be used to spoof the hostname, is the path really all that meaningful? You can hide an extension, but there are lots of ways to do that.
Group: core-security
(Reporter)

Comment 2

10 years ago
I think , decoding %20 as space is not wrong
And, I agree this can'be used to spoof hostname (it is reason why I marked this bug as "normal", not "major").

It is needed to notify to user overflowed string exists on location bar.
Status bar uses intl.ellipsis when URI is too long to show,
but, location bar does nothing.

Comment 3

10 years ago
See also bug 403277

Updated

10 years ago
Depends on: 403277
(In reply to comment #1)
> Does it decode %20 for you? It might in the status-bar on mouseover but should
> not in the location bar itself.

We intentionally decode %20 to " " (see bug 416144).
Reporter, are you still seeing this issue with Firefox 3.6.10 or later in safe mode or a fresh profile? If not, please close. These links can help you in your testing.
http://support.mozilla.com/kb/Safe+Mode
http://support.mozilla.com/kb/Managing+profiles
Whiteboard: [CLOSEME 2010-11-01]
(Reporter)

Comment 6

8 years ago
Still reproduced on 3.6.10 and 4.0b7pre (build from http://hg.mozilla.org/mozilla-central/rev/10a6b2c105ae )
No reply from reporter, INCOMPLETE. Please retest with Firefox 3.6.12 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE

Updated

8 years ago
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Whiteboard: [CLOSEME 2010-11-01]

Updated

8 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Please retest with the latest Firefox. If this problem still happen, you may comment below to reopen it.
Delete uiwanted for now.
Keywords: uiwanted

Comment 9

4 months ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Last Resolved: 8 years ago4 months ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.