Closed
Bug 568410
Opened 14 years ago
Closed 4 years ago
URL spoofing using bidi when opening error page in a new tab
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: masa141421356, Unassigned)
Details
(Keywords: sec-moderate, Whiteboard: [sg:moderate spoof])
Attachments
(1 file)
598 bytes,
text/html
|
Details |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100526 Minefield/3.7a5pre (.NET CLR 3.5.30729) Steps to reproduce: 1. Write html that contains following "A" element. <a href="http://123456‮www.example.com">domain</a> 2.Click the link 3.Error page will shown. 4.Read URL shown in location bar Expected result: It is "http://123456%e2%80%aewww.example.com/" (RLO is encoded) Actual result: It looks as "http://123456/moc.elpmaxe.www" (RLO is NOT encoded) This is not reproduced on Firefox 3.6.3.
Reporter | ||
Comment 1•14 years ago
|
||
Reproduced : Opening link in "New tab" Not reproduced : Opening link in "Same tab" or "New window"
Reporter | ||
Comment 2•14 years ago
|
||
PLEASE mark this bug as "Security Sensitive". This bug is also reproduced on Fx3.6.3.
blocking1.9.2: --- → ?
Component: Location Bar → General
Product: Firefox → Core
QA Contact: location.bar → general
Summary: [regression]URL spoofing using bidi (only Trunk) → URL spoofing using bidi when openning URL in new tab
Version: Trunk → 1.9.2 Branch
Reporter | ||
Comment 3•14 years ago
|
||
When using following link, problem is not reproduced. (It shows search result of google, not error page) <a href="http://www.google.com?q=123456‮www.example.com">query</a>
Comment 4•14 years ago
|
||
I just tried following the steps to reproduce using: data:text/html,<a href="http://123456‮www.example.com">domain</a> On both m-c and 3.6 I get the %-encoded string in the url bar. Can you point to a page that would actually show the problem?
Group: core-security
Reporter | ||
Comment 5•14 years ago
|
||
Updated•14 years ago
|
Whiteboard: [sg:moderate spoof]
Reporter | ||
Comment 6•14 years ago
|
||
This problem is reproduced only when opening link in "NEW TAB".
And, this problem seems to be reproduced only when bidi character is used in
host name.
This problem can be used to make faked saver access error.
For example, first link in attachment 447699 [details] is link to www.mozilla.com[RLO].,
not www.mozilla.com., it is impossible to find difference in error page
between error of "www.mozilla.com" and "www.mozilla.com[RLO]".
Reporter | ||
Comment 7•14 years ago
|
||
I wrote test code in URIBarSetURI in browser.js: --------------- function URLBarSetURI(aURI, aValid) { var s = "gBrowser=" + gBrowser; if (gBrowser) {s = s + "\n.userTypedValue=" + gBrowser.userTypedValue;} alert(s); --------------- When openning link in tab, gBrowser.userTypedValue is not null (it contains non-encoded bidi). URLBarSetURI encodes bidi using losslessDecodeURI() bidi only when gBrowser.userTypedValue is null.
Reporter | ||
Comment 8•14 years ago
|
||
This problem is also reproduced in following steps: 1.open testcase 2.Copy link URL in testcase. 3.navigate current tab to about:blank 4.paste URL to location bar and go
Updated•14 years ago
|
Product: Core → Firefox
QA Contact: general → general
Summary: URL spoofing using bidi when openning URL in new tab → URL spoofing using bidi when opening URL in new tab
Version: 1.9.2 Branch → Trunk
Comment 9•14 years ago
|
||
Presumably this is because addTab sets userTypedValue, and the error page doesn't clear it (since there's no onLocationChange?), so the userTypedValue gets displayed as-is forever. Assuming that's all right, there's no way to have this happen when an actual page loads, since the onLocationChange will update the value accordingly in that case...
Comment 10•14 years ago
|
||
(In reply to comment #9) > Presumably this is because addTab sets userTypedValue This should probably be http://www.mozilla.com%E2%80%AE/, though, rather than http://www.mozilla.com/
Comment 11•14 years ago
|
||
This wouldn't block a release, but we would take a patch on the branches if there is one.
blocking1.9.2: ? → -
status1.9.2:
--- → wanted
Comment 12•14 years ago
|
||
(In reply to comment #9) > Assuming that's all right, there's no way to have > this happen when an actual page loads, since the onLocationChange will update > the value accordingly in that case... Given that, I don't think we'd want to bother taking this on branches at all. We should probably also open this bug.
Updated•13 years ago
|
Assignee: nobody → bmcbride
Status: NEW → ASSIGNED
Updated•13 years ago
|
Group: core-security
Summary: URL spoofing using bidi when opening URL in new tab → URL spoofing using bidi when opening error page in a new tab
Updated•12 years ago
|
Keywords: sec-moderate
Updated•12 years ago
|
Assignee: bmcbride → nobody
Status: ASSIGNED → NEW
Comment 13•4 years ago
|
||
Dan and I can't repro this, and we think it's fixed, do you think we can close it?
Flags: needinfo?(jfkthame)
Comment 14•4 years ago
|
||
Agreed, this doesn't seem to reproduce any longer. (I get punycode in the error page when I try the examples given, which seems like the correct result.)
Flags: needinfo?(jfkthame)
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•