[Webkit-unassigned] [Bug 15047] New: "%5C" is mysteriously stripped from hostnames without being rejected
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 22 10:53:45 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=15047
Summary: "%5C" is mysteriously stripped from hostnames without
being rejected
Product: WebKit
Version: 522+ (nightly)
Platform: Macintosh
OS/Version: Mac OS X 10.4
Status: NEW
Severity: Normal
Priority: P2
Component: Page Loading
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: marv.decker at gmail.com
Safari seems to strip "%5c" from host names, which could lead to possible
phishing problems. This appears to happen in the network stack you use, as KURL
seems to not touch it.
The issue is that some applications might choose to display this URL
as unescaped:
http://www.wellsfargo.com\login.evil.ru
But when sent through Safari as
http://www.wellsfargo.com%5Clogin.evil.ru
It will be sent over the network as
http://www.wellsfargo.comlogin.evil.ru
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list