malformed http is parsed incorrectly

NEW
Unassigned

Status

()

--
trivial
9 years ago
9 years ago

People

(Reporter: admin, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14

If a semicolon is substituted for the colon in HTTP:// the url will excecute and proceed to a wikipedia page on "HTTP" 

Reproducible: Always

Steps to Reproduce:
1.http;//twitter.com
2.
3.
Actual Results:  
enter the url by typing it directly or by making a link on a web page and clicking on it. 

Expected Results:  
arrive at Wikipedia "HTTP" Definition, this is probably dependent on the search in URL box functions.

in 2010? it should auto correct the http; to http: as there is no conflicting protocol, optionally with a warning message

At the very least, the browser should toss an error message like it does when you type "http://" by itself into the URL box

Under no circumstances should it go anywhere unchecked off a malformed http:// entry because of its confusion factor

I am submitting this as a Major bug because it is inside the URL parser and because of the implications of its effect on the user community. Many people will not catch this error as a character substitution and it is a parallel to the O,0 substitution. I am not aware of any security issue but it may be possible to exploit this in, for example an email link.

In 2010, http;// should probably auto correct to http:// as there is a statistical probability of nearly 100% that it is their intention.
(Reporter)

Comment 1

9 years ago
In certain fonts on windows and possibly other operating systems this substitution is much less apparent than in iso text so the effect in a link can be masked much more than the effect in iso text.

Updated

9 years ago
Whiteboard: dupeme
The dupeme would be bug 231720 but that doesn't handle ";"
This special case could be a wontfix.

This is not major, marking tivial, the result is coming from a "I fell lucky" search for http on google.
Severity: major → trivial
(Reporter)

Comment 3

9 years ago
Firefox responds with "That URL Is Not Valid" when asked for http:// this is normal software behavior. If one of my programs responded to http;// with a "get Lucky" search from google I would be fired. Maybe this is not a bug, maybe it is just poor programming. If you can't see outside the little box with lights then think of it this way, what is the best customer service solution for malformed URL's that are not a security risk? In 1985 Dos returned the same kind of nonsense with "abort, Retry, Fail" You can't tell me it is not in the best interests of Firefox to have the http;// just map to http:// and avoid the nonsense of searching "I feel lucky" and confusing the hell out of the user. At the very least it is a bug in the respect that firefox is not giving the same error message it gives for http:// by itself. Think about it.
(Reporter)

Comment 4

9 years ago
Firefox responds with "That URL Is Not Valid" when asked for http:// this is normal software behavior. If one of my programs responded to http;// with a "get Lucky" search from google I would be fired. Maybe this is not a bug, maybe it is just poor programming. If you can't see outside the little box with lights then think of it this way, what is the best customer service solution for malformed URL's that are not a security risk? In 1985 Dos returned the same kind of nonsense with "abort, Retry, Fail" You can't tell me it is not in the best interests of Firefox to have the http;// just map to http:// and avoid the nonsense of searching "I feel lucky" and confusing the hell out of the user. At the very least it is a bug in the respect that firefox is not giving the same error message it gives for http:// by itself. Think about it.
this should at least toss the same alert it does for http://
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: dupeme
You need to log in before you can comment on or make changes to this bug.