[Webkit-unassigned] [Bug 21975] New: decodeURLEscapeSequences will generate embedded null characters
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 30 10:15:08 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=21975
Summary: decodeURLEscapeSequences will generate embedded null
characters
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: brettw at chromium.org
This function will convert %00 to an embedded null character in the output
string. This function is used in many of KURL's getters.
This is potentially dangerous. IE, Firefox, and Google Chrome don't convert %00
to NULL, even in Javascript URLs. Some APIs don't expect embedded NULLs.
One such API is KURL::init. It does things like this:
while (*relStringPos && *relStringPos != '?' && *relStringPos != '#') {
which will stop at an embedded NULL. This means that if you build up a URL from
parts extracted from a different URL, it could be completely different. This
could be a security bug.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list