Closed Bug 522634 Opened 16 years ago Closed 16 years ago

decodeURIComponent/decodeURI allows non-shortest form of 16 bits char on 4 bytes representation

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Platform:
x86
Windows NT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 511859

People

(Reporter: sirdarckcat, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5 Firefox is supposed to consider the non-shortest form exception (http://www.unicode.org/reports/tr36/#UTF-8_Exploit), section 3.1 of the Unicode Technical Report #36 but apparently there's a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses. The following non-shortest form for the char U+1000: 0xF0 0x81 0x80 0x80 is allowed, as well as the correct shortest form: 0xE1 0x80 0x80 Note that this problem is only present on the 4 bytes representation (0xE0 0x81 0x80 is correctly marked as U+FFFD) Reproducible: Always Steps to Reproduce: 1. alert(decodeURI("%F0%81%80%80")==decodeURI("%E1%80%80")) 2. alert(escape(decodeURI("%F0%81%80%80"))) Actual Results: 1. true 2. %u1000 Expected Results: 1. false 2. %uFFFD Check: http://www.unicode.org/reports/tr36/#UTF-8_Exploit
This is fixed by bug 511859
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Component: String → XPCOM
You need to log in before you can comment on or make changes to this bug.