[Webkit-unassigned] [Bug 34668] New: WebKit seems willing to load URLs it considers "invalid"
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 5 16:53:49 PST 2010
https://bugs.webkit.org/show_bug.cgi?id=34668
Summary: WebKit seems willing to load URLs it considers
"invalid"
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: Platform
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: brettw at chromium.org
CC: eric at webkit.org, fishd at chromium.org
This report is related to this bug in Chromium:
http://code.google.com/p/chromium/issues/detail?id=160
The bug itself does not actually affect Safari, even though tracing through
KURL it clearly thinks
ed2k://|serverlist|http://www.gruk.org/server.met|/
is an invalid URL due to the presence of "|" in the host. It bothers checking
the host at all because it sees "://" and treats the URL as hierarchical.
Chromium has been very strict about never doing anything with invalid URLs,
since crazily formatted URLs have been the source of a number of security bugs
in different browsers in the past. We fast fail for any loads (and other
operations) if the valid bit isn't set on them. I think this is a generally
good idea.
This bug report boils down to: "Are you sure you want to be sending URLs you
think are invalid to the network stack and external protocol handlers?" I can't
see all the networking code and other stuff in Safari, so it's hard for me to
evaluate all the details of how it works and how big a risk this is.
In this case, of course, you want to send the URL to the external protocol
handler, and not doing that is what the Chromium bug is about in the first
place. The only way to make this work is to do what Firefox does, which I've
implemented (but is not currently checked in) for Chromium. Firefox keeps a
whitelist of known hierarchical schemes, and any URL not on that list is
considered non-hierarchical like "data". Chromium/Google-URL already has such a
list containing a few schemes, and so does even KURL (just consisting of "http"
and "https" which are hardcoded).
This results in less validation being done on the URL, which solves the problem
with the eDonkey URLs and a few other types. But there is still some minimal
validation that occurs and you can always rely on the isValid flag to test
whether a URL might be dangerous.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list