Closed Bug 73597 Opened 23 years ago Closed 23 years ago

URL w/ IPv4 address as decimal + 2 @ signs.

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 67730
Milestone:
mozilla1.0

People

(Reporter: Marko.Macek, Assigned: neeti)

References

(
URL
)

Details

the "URL" can't be visited by mozilla ;)

I'm not sure the URL is valid but it's handled fine by 4.76 and IE 5.5
Because of the patent problems, Mozilla has to filter out all zeros and ones.

This should move to evangelism, to ask CNN to use URL's without zero's and ones 
in it.
This URL isn't just "tricky" its crazy. From what I can tell, this URL is
routing to a downstream computer from centralhosting.net

http://www.cnn.com@sci-tech@3520040376/new_010325/alert/breakingnews.html

3520040376 is the host (I didn't know you could just put in a number, but every
browser I see goes to centralhosting.net
sci-tech appears to be the user at centralhosting, with www.cnn.com being the
user under sci-tech. 
Then /new_010325/alert/breakingnews.html is the directory on that server. The
problem I have is that you don't even need the domains @ 3520040376. 
You can just go to centralhosting.net and get the document
new_010325/alert/breakingnews.html

I don't know what the format of a URL is supposed to be, but I can say that this
will definately be a fringe case. 

On the plus side, mozilla does get to http://3520040376/ just fine.
It also gets to sci-tech@3520040376 fine
its the second (or first if you read from left to right) @ domain www.cnn.com
that doesn't seem to work. Mozilla sends sci-tech@3520040376 as a search parameter.

Well, hope this helps. Now off to read the URI spec to figure out how that
number works.

That number is just he IP address in straight decimal instead of dotted notation.

That being said, the URL provided does not load for me with Netscape 4.x on
Linux.  Mozilla on linux reports that the hostname "sci-tech@3520040376" could
not be found.
Note: whether you can resolve this URL or not may depend on your proxy server. I 
get an error from our transparent web cache.

Gerv
If I'm correct the normal format to pass a username and password:

htt://username:password@server.com or username@server.com
At least it works that way with FTP.

Password can have a '@' sign in it , so Mozilla should probably scan for the 
last '@' when breaking up the URL into it's parts.

Typing in the addres bar: http://username:pass@word@www.mozilla.org gives 
error 'word@www.mozilla.org could not be found'
http://username:password@www.mozilla.org works as expected.
Target Milestone: --- → mozilla1.0
Where did this url appear?
I got the URL in some mail by a friend.
mass move, v2.
qa to me.
QA Contact: tever → benc
'@' is not an allowed character in <userinfo> (RFC 2396; you have to escape it).
Straight decimal IP addresses aren't valid either.

Only question I have: Is this bug INVALID or Evangelism?

This URL may die if we ever fix bug 67730.

The hostname resolution will die:

<big number> is not a FQDN or an IPV4 address, so it should never attempt to
connect.

The host is a domain name of a network host, or its IPv4 address as a set of
four decimal digit groups separated by ".". Literal IPv6 addresses are not
supported.

            hostport      = host [ ":" port ]
            host          = hostname | IPv4address
            hostname      = *( domainlabel "." ) toplabel [ "." ]
            domainlabel   = alphanum | alphanum *( alphanum | "-" ) alphanum
            toplabel      = alpha | alpha *( alphanum | "-" ) alphanum
            IPv4address   = 1*digit "." 1*digit "." 1*digit "." 1*digit
            port          = *digit

http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2396.html
Summary: can't visit tricky url → URL w/ IPv4 address as decimal + 2 @ signs.
If the RFC says it's invalid, go ahead and mark it INVALID.

I just wanted to know if this was allowed by too relaxed parsers in ns4 and ie.

I hope bug 67730 gets fixed too...
If you create a URL w/ the IP address as a dotted quad, and it doesn't work,
you should still push for analysis of the double "@" sign question in a new bug.


*** This bug has been marked as a duplicate of 67730 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
+verifyme - looking for someone to second my motion for resolution...
Keywords: verifyme
I question whether this should be a duplicate, or whether it should be changed
to be a bug about handling @ symbols in the URL. I understand that the symbol is
forbidden, but couldn't mozilla try to correct for that?

Also, it appears the page is now a 404.. oh well, it was funny.

If someone can point out where it says we shouldn't allow @ symbols, I'll verify.
Here's my take:

From reading RFC 1738:

HTTP does not support this, it supports a narrower:

      http://<host>:<port>/<path>?<searchpart>
So, everything between "http://" and the next "/" (since there is no ":port" in
this case), is treated as a hostname.

As such, "www.cnn.com@sci-tech@3520040376" as a hostname would also be invalid.

; HTTP

httpurl        = "http://" hostport [ "/" hpath [ "?" search ]]
hpath          = hsegment *[ "/" hsegment ]
hsegment       = *[ uchar | ";" | ":" | "@" | "&" | "=" ]
search         = *[ uchar | ";" | ":" | "@" | "&" | "=" ]

In either case: "@" is reserved, it is not part the definitions of alpha or digits:

reserved       = ";" | "/" | "?" | ":" | "@" | "&" | "="

lowalpha       = "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" |
                 "i" | "j" | "k" | "l" | "m" | "n" | "o" | "p" |
                 "q" | "r" | "s" | "t" | "u" | "v" | "w" | "x" |
                 "y" | "z"
hialpha        = "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" |
                 "J" | "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" |
                 "S" | "T" | "U" | "V" | "W" | "X" | "Y" | "Z"

alpha          = lowalpha | hialpha
digit          = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" |
                 "8" | "9"

If it were part of the password, you could URL (hex) encode it:

"If the character corresponding to an octet is
   reserved in a scheme, the octet must be encoded.  "
Status: RESOLVED → VERIFIED
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.