The default bug view has changed. See this FAQ.

decodeURIComponent/decodeURI allows non-shortest form of 16 bits char on 4 bytes representation

RESOLVED DUPLICATE of bug 511859

Status

()

Core
String
RESOLVED DUPLICATE of bug 511859
8 years ago
8 years ago

People

(Reporter: Eduardo Vela N, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5

Firefox is supposed to consider the non-shortest form exception (http://www.unicode.org/reports/tr36/#UTF-8_Exploit), section 3.1 of the Unicode Technical Report #36 but apparently there's a flaw on it. This is specially problematic for the reasons that an overlong unicode sequence not taken into consideration may allow several types of filter bypasses.

The following non-shortest form for the char U+1000:
0xF0 0x81 0x80 0x80

is allowed, as well as the correct shortest form:
0xE1 0x80 0x80

Note that this problem is only present on the 4 bytes representation (0xE0 0x81 0x80 is correctly marked as U+FFFD)

Reproducible: Always

Steps to Reproduce:
1. alert(decodeURI("%F0%81%80%80")==decodeURI("%E1%80%80"))
2. alert(escape(decodeURI("%F0%81%80%80")))
Actual Results:  
1. true
2. %u1000

Expected Results:  
1. false
2. %uFFFD

Check:
http://www.unicode.org/reports/tr36/#UTF-8_Exploit

Comment 1

8 years ago
This is fixed by bug 511859
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 511859
You need to log in before you can comment on or make changes to this bug.