Closed Bug 516896 Opened 11 years ago Closed 10 years ago

Combined handling of \, @ in URLs may cause security problems

Categories

(Core :: Networking, defect)

defect
Not set

Tracking

()

RESOLVED INVALID

People

(Reporter: lcamtuf, Unassigned)

Details

(Whiteboard: [sg:low] prevention)

Hi folks,

Fairly minor, but to pretty much all other browsers, this:

http://hello:world@foo.com\@bar.com

...is an URL pointing to foo.com. 

Firefox, however, trims user:pass section at the rightmost @ (MSIE, Safari trim at the leftmost), and furthermore permits stray \ in the login / password segment (while all other browser reject it or convert to /). As a result, it would see this as a reference to bar.com instead.

This is going to be rather painful to anyone trying to sanitize URLs to permit only whitelisted targets, etc. You might want to revise this at some point if there's no other strong rationale for this behavior.
Severity: enhancement → normal
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → networking
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: backslash
Huh?

That bug deals with \ in query strings, seems to be obsolete (e.g., http://example.com\/ does not result in an invalid HTTP request as implied in there), and does not really consider this angle?

I'm not complaining that you should be or should not be correcting \ to /...
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Actually it deals with \ in URLs in general as the title of the bug indicates. The initial comment is about query strings, further comments are about URLs in general though.

As per bug 64488 comment 1

RFC 2396 section 2.4.3 says "\" is not allowed within URIs.
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: backslash
Robert, this bug is about our handling of multiple '@' in the user/pass/host part of a URI.  The '\\' is just incidental in terms of actually allowing a requestable URI in all browsers, as opposed to a requestable one in Firefox but a DNS error in all others.  The fundamental issue is the '@'.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Whiteboard: [sg:low] prevention
I actually researched this a bit better, and I no longer believe that any particular change to this aspect of URL handling is going to make an appreciable difference. Specifically, looks like there is a considerable body of ambiguous URLs that resolve differently in different browsers, and Firefox is not particularly more likely to stand out across this data set. Examples include:

* http://example.com\@coredump.cx/
* http://example.com;.coredump.cx/

I'm marking this as INVALID, hope you don't mind ;-)
Status: REOPENED → RESOLVED
Closed: 11 years ago10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.