Combined handling of \, @ in URLs may cause security problems

RESOLVED INVALID

Status

()

Core
Networking
RESOLVED INVALID
9 years ago
8 years ago

People

(Reporter: Michal Zalewski, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:low] prevention)

(Reporter)

Description

9 years ago
Hi folks,

Fairly minor, but to pretty much all other browsers, this:

http://hello:world@foo.com\@bar.com

...is an URL pointing to foo.com. 

Firefox, however, trims user:pass section at the rightmost @ (MSIE, Safari trim at the leftmost), and furthermore permits stray \ in the login / password segment (while all other browser reject it or convert to /). As a result, it would see this as a reference to bar.com instead.

This is going to be rather painful to anyone trying to sanitize URLs to permit only whitelisted targets, etc. You might want to revise this at some point if there's no other strong rationale for this behavior.
Severity: enhancement → normal
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → networking
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 64488
(Reporter)

Comment 2

9 years ago
Huh?

That bug deals with \ in query strings, seems to be obsolete (e.g., http://example.com\/ does not result in an invalid HTTP request as implied in there), and does not really consider this angle?

I'm not complaining that you should be or should not be correcting \ to /...
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Actually it deals with \ in URLs in general as the title of the bug indicates. The initial comment is about query strings, further comments are about URLs in general though.

As per bug 64488 comment 1

RFC 2396 section 2.4.3 says "\" is not allowed within URIs.
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 64488
Robert, this bug is about our handling of multiple '@' in the user/pass/host part of a URI.  The '\\' is just incidental in terms of actually allowing a requestable URI in all browsers, as opposed to a requestable one in Firefox but a DNS error in all others.  The fundamental issue is the '@'.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Whiteboard: [sg:low] prevention
(Reporter)

Comment 5

8 years ago
I actually researched this a bit better, and I no longer believe that any particular change to this aspect of URL handling is going to make an appreciable difference. Specifically, looks like there is a considerable body of ambiguous URLs that resolve differently in different browsers, and Firefox is not particularly more likely to stand out across this data set. Examples include:

* http://example.com\@coredump.cx/
* http://example.com;.coredump.cx/

I'm marking this as INVALID, hope you don't mind ;-)
Status: REOPENED → RESOLVED
Last Resolved: 9 years ago8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.