[Webkit-unassigned] [Bug 21977] New: KURL should prohibit most escape sequences in hostnames
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 30 11:26:01 PDT 2008
https://bugs.webkit.org/show_bug.cgi?id=21977
Summary: KURL should prohibit most escape sequences in hostnames
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: brettw at chromium.org
KURL allows hostnames such as "hello%03world" or even more scarily
"hello%00world" or "hello%2fworld" (which will unescape to "hello/world").
If the URL is extracted and unescaped (many of the component getters unescape
by default, including host()) and passed to another system, such as the native
OS's URL object, it could be treated as a completely different URL, with
different security policy.
Google Chrome uses the lookup table at the top of this file:
http://code.google.com/p/google-url/source/browse/trunk/src/url_canon_host.cc
Characters marked with "kEsc" are allowed to be escaped, while characters
marked with 0 are disallowed either escaped or unescaped in hostnames. This
table prohibits control charcters, characters that may change the parsing of
the URL if unescaped like /?#, and NULL. I think KURL needs to do the same.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list