Closed Bug 932498 Opened 9 years ago Closed 9 years ago

bad-behavior framework blocks Gecko/25 User-Agent string


(Web Compatibility :: Mobile, defect)

Not set


(Not tracked)



(Reporter: karlcow, Unassigned)




(Whiteboard: [sitewait] [lib-badbehavior] [serversniff])

When Firefox OS/Firefox Android contains Gecko/25, the framework bad-behavior blocks the user agent string with a 403.

GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate, compress
User-Agent: Android Mobile Gecko/25

HTTP/1.1 403 Bad Behavior
Content-Encoding: gzip
Content-Length: 740
Content-Type: text/html; charset=UTF-8
Date: Tue, 29 Oct 2013 21:15:26 GMT
Server: Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_bwlimited/1.4
Vary: User-Agent,Accept-Encoding
X-Powered-By: PHP/5.3.24

Any string which is on the form 

"Gecko/25.*" is being blocked.
Gecko/252, Gecko/2525, etc. even Gecko/25a

In the source code of the framework, we can see in the file, line 86 of the version 2.2.14

		"Gecko/2525",		// revisit this in 500 years
See Also: → 932026
Contacted the owner
Whiteboard: [contactready] [lib-badbehavior] [serversniff] → [sitewait] [lib-badbehavior] [serversniff]
Closing as INVALID. New version of bad Behavior behaves correctly.

> I cannot reproduce this with Bad Behavior 2.2.14. This update, released April 9, 2013, 
> contains a fix for this issue. As you can see, it was released well in advance of Firefox 25.
> The corrected User-Agent blacklist string targets a malicious User-Agent which contains
> "Gecko/2525" which was followed by an obviously false month and day, in the manner in 
> which Mozilla products previously structured this part of the User-Agent. Prior to the 
> change, it would match anything that contained "Gecko/25". This change was made in 
> response to Mozilla's changing of the structure of the User-Agent string.
> The most likely cause is that they did not apply the update to 2.2.14 correctly 
> (or at all). I would recommend that they remove their existing copy and upload a 
> fresh copy.
> If you wish, you may refer the user to Bad Behavior's bug tracker at 
Closed: 9 years ago
Resolution: --- → INVALID
See Also: → 935657
Blocks: 935657
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.