Bug 21977
| Summary: | KURL should prohibit most escape sequences in hostnames | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Brett Wilson (Google) <brettw> |
| Component: | Platform | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED INVALID | ||
| Severity: | Normal | CC: | abarth, annevk |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
| Bug Depends on: | |||
| Bug Blocks: | 37641 | ||
Brett Wilson (Google)
KURL allows hostnames such as "hello%03world" or even more scarily "hello%00world" or "hello%2fworld" (which will unescape to "hello/world").
If the URL is extracted and unescaped (many of the component getters unescape by default, including host()) and passed to another system, such as the native OS's URL object, it could be treated as a completely different URL, with different security policy.
Google Chrome uses the lookup table at the top of this file:
http://code.google.com/p/google-url/source/browse/trunk/src/url_canon_host.cc
Characters marked with "kEsc" are allowed to be escaped, while characters marked with 0 are disallowed either escaped or unescaped in hostnames. This table prohibits control charcters, characters that may change the parsing of the URL if unescaped like /?#, and NULL. I think KURL needs to do the same.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Anne van Kesteren
KURL is gone.