Closed
Bug 516896
Opened 15 years ago
Closed 14 years ago
Combined handling of \, @ in URLs may cause security problems
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
INVALID
People
(Reporter: lcamtuf, Unassigned)
Details
(Whiteboard: [sg:low] prevention)
Hi folks, Fairly minor, but to pretty much all other browsers, this: http://hello:world@foo.com\@bar.com ...is an URL pointing to foo.com. Firefox, however, trims user:pass section at the rightmost @ (MSIE, Safari trim at the leftmost), and furthermore permits stray \ in the login / password segment (while all other browser reject it or convert to /). As a result, it would see this as a reference to bar.com instead. This is going to be rather painful to anyone trying to sanitize URLs to permit only whitelisted targets, etc. You might want to revise this at some point if there's no other strong rationale for this behavior.
Updated•15 years ago
|
Severity: enhancement → normal
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → networking
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•15 years ago
|
||
Huh? That bug deals with \ in query strings, seems to be obsolete (e.g., http://example.com\/ does not result in an invalid HTTP request as implied in there), and does not really consider this angle? I'm not complaining that you should be or should not be correcting \ to /...
Updated•15 years ago
|
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 3•15 years ago
|
||
Actually it deals with \ in URLs in general as the title of the bug indicates. The initial comment is about query strings, further comments are about URLs in general though. As per bug 64488 comment 1 RFC 2396 section 2.4.3 says "\" is not allowed within URIs.
Status: REOPENED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → DUPLICATE
Comment 4•15 years ago
|
||
Robert, this bug is about our handling of multiple '@' in the user/pass/host part of a URI. The '\\' is just incidental in terms of actually allowing a requestable URI in all browsers, as opposed to a requestable one in Firefox but a DNS error in all others. The fundamental issue is the '@'.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Updated•14 years ago
|
Whiteboard: [sg:low] prevention
Reporter | ||
Comment 5•14 years ago
|
||
I actually researched this a bit better, and I no longer believe that any particular change to this aspect of URL handling is going to make an appreciable difference. Specifically, looks like there is a considerable body of ambiguous URLs that resolve differently in different browsers, and Firefox is not particularly more likely to stand out across this data set. Examples include: * http://example.com\@coredump.cx/ * http://example.com;.coredump.cx/ I'm marking this as INVALID, hope you don't mind ;-)
Status: REOPENED → RESOLVED
Closed: 15 years ago → 14 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•