[Webkit-unassigned] [Bug 21977] New: KURL should prohibit most escape sequences in hostnames

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 30 11:26:01 PDT 2008


           Summary: KURL should prohibit most escape sequences in hostnames
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: brettw at chromium.org

KURL allows hostnames such as "hello%03world" or even more scarily
"hello%00world" or "hello%2fworld" (which will unescape to "hello/world").

If the URL is extracted and unescaped (many of the component getters unescape
by default, including host()) and passed to another system, such as the native
OS's URL object, it could be treated as a completely different URL, with
different security policy.

Google Chrome uses the lookup table at the top of this file:
Characters marked with "kEsc" are allowed to be escaped, while characters
marked with 0 are disallowed either escaped or unescaped in hostnames. This
table prohibits control charcters, characters that may change the parsing of
the URL if unescaped like /?#, and NULL. I think KURL needs to do the same.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list