Open Bug 820293 Opened 13 years ago Updated 2 years ago

Percent in URI not encoded

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Version:
10 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: maurizio1, Unassigned)

Details

(Whiteboard: [necko-backlog])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:10.0.11) Gecko/20100101 Firefox/10.0.11 Build ID: 20121115102332 Steps to reproduce: My SQL-injection test case tells firefox to send out the following request to our webapp: ==== GET /app/error?errorMessage=No+data+for+run+1234';+select+passwd+from+accounts+where+username+like+'%' ==== Actual results: Firefox sends out the request: ==== GET /app/error?errorMessage=No+data+for+run+1234%27;+select+passwd+from+accounts+where+username+like+%27%%27 ==== Subsequently our webapp gives another error: ==== java.lang.IllegalArgumentException: URLDecoder: Illegal hex characters in escape (%) pattern - For input string: "%2" ==== Expected results: If I am not mistaken, according to http://tools.ietf.org/html/rfc3986 paragraph 2.4 the percent character should have been encoded, i.e. firefox should have send the following request: ==== GET /app/error?errorMessage=No+data+for+run+1234%27;+select+passwd+from+accounts+where+username+like+%27%25%27 ==== I checked that our webapp in that case works fine. It may be that I misinterpreted rfc3986, or that there are good reasons why to deviate from ftc3986, but please tell me such that this gets documented somewhere (I couldn't find it so far).
OS: Windows 7 → Linux
Hardware: x86_64 → x86
OS: Linux → Windows 7
Hardware: x86 → x86_64
>My SQL-injection test case tells firefox How does your SQL-Injection test case tell Firefox to load the URL ?
The test case is run by Selenium, but as a matter of fact the webapp returns a HTTP 301 with: ==== Location: http://server.x.y.z:8080/app/error?errorMessage=No+data+for+run+1234';select+passwd+from+accounts+where+username+like+'%' ==== (intercepted with tcpdump) which subsequently triggers the browser to send out a new request. However, I also typed the URL manually in the browser's location bar with the same result.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.