Last Comment Bug 522634 - decodeURIComponent/decodeURI allows non-shortest form of 16 bits char on 4 bytes representation
: decodeURIComponent/decodeURI allows non-shortest form of 16 bits char on 4 by...
Status: RESOLVED DUPLICATE of bug 511859
:
Product: Core
Classification: Components
Component: String (show other bugs)
: unspecified
: x86 Windows NT
: -- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Nathan Froyd [:froydnj]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-15 20:14 PDT by Eduardo Vela N
Modified: 2009-10-18 20:22 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Eduardo Vela N 2009-10-15 20:14:08 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5

Firefox is supposed to consider the non-shortest form exception (http://www.unicode.org/reports/tr36/#UTF-8_Exploit), section 3.1 of the Unicode Technical Report #36 but apparently there's a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

The following non-shortest form for the char U+1000:
0xF0 0x81 0x80 0x80

is allowed, as well as the correct shortest form:
0xE1 0x80 0x80

Note that this problem is only present on the 4 bytes representation (0xE0 0x81 0x80 is correctly marked as U+FFFD)

Reproducible: Always

Steps to Reproduce:
1. alert(decodeURI("%F0%81%80%80")==decodeURI("%E1%80%80"))
2. alert(escape(decodeURI("%F0%81%80%80")))
Actual Results:  
1. true
2. %u1000

Expected Results:  
1. false
2. %uFFFD

Check:
http://www.unicode.org/reports/tr36/#UTF-8_Exploit
Comment 1 Masahiro YAMADA 2009-10-18 20:22:09 PDT
This is fixed by bug 511859

*** This bug has been marked as a duplicate of bug 511859 ***

Note You need to log in before you can comment on or make changes to this bug.