[Webkit-unassigned] [Bug 20559] New: decodeURLEscapeSequences will unescape NULLs and will mangle not encodable characters

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 28 10:54:16 PDT 2008 

https://bugs.webkit.org/show_bug.cgi?id=20559

           Summary: decodeURLEscapeSequences will unescape NULLs and will
                    mangle not encodable characters
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: marv.decker at gmail.com


decodeURLEscapeSequences will unescape "%00" in a URL to generate a string with
embedded NULLs. I don't know of a specific problem with this, but it can be
very dangerous, because then all the string handling in the rest of the
application must handle NULLs correctly. There have been security holes in
other web browsers because of doing stuff like this. IE doesn't unescape NULLs
in this case (it converts them to "%2500"), and I don't think WebKit should,
either.

When decodeURLEscapeSequences encounters an escape sequence, it will unescape
it and then try to convert it using the given encoding. Normally, this is
UTF-8. If you just request the path() of a URL, it will automatically decode
it! This is a destructive operation.

If you generate a character not in the character set (in this case, UTF-8),
then it will be replaced with the "invalid character." If you try to compose
this again, the URL will be corrupted.

This is actually a pretty big problem. If I'm on a Japanese page with a path
encoded as ShiftJIS (escaped), if that page requests
document.location.pathname, it will be wrong.

I don't think that these URL components should be unescaped at all by the
component getters like KURL.host() and KURL.path(). Neither Firefox nor IE does
this. IE is a little tricky. It will keep around the unescaped form so it will
depend on whether the original link the URL was Unicode or escaped.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list