Closed Bug 456673 Opened 17 years ago Closed 7 years ago

Location bar should notice to user if URI is too long

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INACTIVE

People

(Reporter: masa141421356, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-KS; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Locationbar does notice to user whenever URI is overflowed (too long to show). And, location bar decodes %20 as " " (I believe decoding %20 as " " is correct behavior). So, attacker can use too many %20 to spoof URI. Reproducible: Always Steps to Reproduce: Naviagte to malformed URI that caontains too many % encoded spaces (%20) and other characters. For example: http://example.com/a%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20b Actual Results: Location bar wills show it as "http://example.com/a b" And If location bar does not have enough width, there is no method to tell "There is overflowed text" to user. So, user will recognize its address as "http://example.com/a". Expected Results: Some UI is needed. But I don't know what is best. This is already known in community of security. It may not needed to set Security flag.
Keywords: uiwanted
Does it decode %20 for you? It might in the status-bar on mouseover but should not in the location bar itself. This can't be used to spoof the hostname, is the path really all that meaningful? You can hide an extension, but there are lots of ways to do that.
Group: core-security
I think , decoding %20 as space is not wrong And, I agree this can'be used to spoof hostname (it is reason why I marked this bug as "normal", not "major"). It is needed to notify to user overflowed string exists on location bar. Status bar uses intl.ellipsis when URI is too long to show, but, location bar does nothing.
See also bug 403277
Depends on: 403277
(In reply to comment #1) > Does it decode %20 for you? It might in the status-bar on mouseover but should > not in the location bar itself. We intentionally decode %20 to " " (see bug 416144).
Reporter, are you still seeing this issue with Firefox 3.6.10 or later in safe mode or a fresh profile? If not, please close. These links can help you in your testing. http://support.mozilla.com/kb/Safe+Mode http://support.mozilla.com/kb/Managing+profiles
Whiteboard: [CLOSEME 2010-11-01]
Still reproduced on 3.6.10 and 4.0b7pre (build from http://hg.mozilla.org/mozilla-central/rev/10a6b2c105ae )
No reply from reporter, INCOMPLETE. Please retest with Firefox 3.6.12 or later and a new profile (http://support.mozilla.com/kb/Managing+profiles). If you continue to see this issue with the newest firefox and a new profile, then please comment on this bug.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Whiteboard: [CLOSEME 2010-11-01]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Please retest with the latest Firefox. If this problem still happen, you may comment below to reopen it. Delete uiwanted for now.
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: NEW → RESOLVED
Closed: 15 years ago7 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.