Last Comment Bug 467563 - percent-encoded port numbers are mis-parsed in URIs
: percent-encoded port numbers are mis-parsed in URIs
Status: RESOLVED FIXED
[sg:low spoof]
:
Product: Core
Classification: Components
Component: Networking (show other bugs)
: Trunk
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://google.com:%38%30/
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-02 09:57 PST by Bob Aman
Modified: 2011-08-05 14:18 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix


Attachments

Description Bob Aman 2008-12-02 09:57:13 PST
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

If you try to navigate to http://google.com:%38%30/, Firefox will normalize and navigate to http://google.com:38/ instead, which is clearly wrong.

Reproducible: Always

Steps to Reproduce:
1. Navigate to http://google.com:%38%30/

Actual Results:  
Firefox tries to connect to port 38 on google.com.

Expected Results:  
Firefox should have tried to connect to port 80 on google.com.

Opera and IE both normalize to http://google.com/ which seems reasonable to me since "%38%30" unencodes to "80".  Safari gives a weird error message.
Comment 1 Bob Aman 2008-12-04 11:10:32 PST
From reading RFC 3986, it's pretty clear that percent encoding port numbers is not legitimate.  However, pulling out a numeric valid from a percent encoded string is even less legitimate.

The way I see it, there's only two sensible approaches here.  You could take the purist approach and give an error message.  Or you could take the liberalist approach and unencode the port component before looking for a numeric value.
Comment 2 Ed Lee :Mardak 2009-01-28 08:08:01 PST
Dao: Something with how firefox decodes uris? Might be more than just firefox though.. If you hover over the URL link, it already shows google.com:38, so not just the location bar decoding logic..
Comment 3 Bob Aman 2009-01-28 08:11:00 PST
Yeah sorry, I knew it wasn't location bar specific, but I didn't see a better place to categorize the bug.
Comment 4 Daniel Veditz [:dveditz] 2011-08-05 14:18:41 PDT
This is fixed on trunk, still a problem in 3.6.x. Realistically we're not going to backport this fix.

Note You need to log in before you can comment on or make changes to this bug.