Closed Bug 588982 Opened 15 years ago Closed 15 years ago

When there is no encoding, Microsoft ASCII codes between 128 and 159 converts to some other characters.

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 418394

People

(Reporter: soroush.dalili, Unassigned)

Details

(Whiteboard: [sg:dupe 418394])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 I saw this problem in several places. One of these places that I can describe this problem in, is in Cookies. Microsoft ASCII codes between 128 and 159 converts to UTF8 instead of UTF16. So, they converts to some other characters. For example, "€" character (Alt+"0128") is translated to "U+20AC" which is a UTF16. Mozilla Firefox only keep "AC" from "20AC" and discard "20" when you want to put this character in cookie. Another Example: "Š" (%u0160) converts to "`" (%60) character. Reproducible: Always Steps to Reproduce: 1. Create a HTML file with following code: <script> var str = 'testCookie=Š€'; document.cookie = str; alert('String: '+str); alert('Cookie: '+document.cookie); if(document.cookie!=str) { alert('Err: String value is not the same as the cookie!'); }else { alert('Everything is fine without any error.'); } </script> 2. run this file by using Mozilla Firefox 3. you will see the results Actual Results: String value is not the same as the cookie Expected Results: String value must be same as the cookie As I wasn't sure if someone can use this issue to bypass something like NoScript, I make it hidden. Please make it public if there is no concern. ---- PS1: I saw the same situation when I'm using Hackbar Add-on as well. PS2: Some other Java applications has the same issue which are not related to this topic. PS3: (perhaps not related to this issue): Microsoft in an ASP file accept this character as "%80". So, these are the same in an ASP file: "test.asp?x=%u20AC" and "test.asp?x=%80".
I believe this is more of an interoperability issue than a security issue. I agree this looks wrong, but is a more reasonable behavior actually specified somewhere?
Group: core-security
Component: General → Networking: Cookies
QA Contact: general → networking.cookies
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 418394]
Group: core-security
You need to log in before you can comment on or make changes to this bug.