Closed Bug 522634 Opened 15 years ago Closed 15 years ago

decodeURIComponent/decodeURI allows non-shortest form of 16 bits char on 4 bytes representation

Categories

(Core :: XPCOM, defect)

x86
Windows NT
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 511859

People

(Reporter: sirdarckcat, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5

Firefox is supposed to consider the non-shortest form exception (http://www.unicode.org/reports/tr36/#UTF-8_Exploit), section 3.1 of the Unicode Technical Report #36 but apparently there's a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

The following non-shortest form for the char U+1000:
0xF0 0x81 0x80 0x80

is allowed, as well as the correct shortest form:
0xE1 0x80 0x80

Note that this problem is only present on the 4 bytes representation (0xE0 0x81 0x80 is correctly marked as U+FFFD)

Reproducible: Always

Steps to Reproduce:
1. alert(decodeURI("%F0%81%80%80")==decodeURI("%E1%80%80"))
2. alert(escape(decodeURI("%F0%81%80%80")))
Actual Results:  
1. true
2. %u1000

Expected Results:  
1. false
2. %uFFFD

Check:
http://www.unicode.org/reports/tr36/#UTF-8_Exploit
This is fixed by bug 511859
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Component: String → XPCOM
You need to log in before you can comment on or make changes to this bug.