[Webkit-unassigned] [Bug 34668] New: WebKit seems willing to load URLs it considers "invalid"

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 5 16:53:49 PST 2010


           Summary: WebKit seems willing to load URLs it considers
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Platform
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: brettw at chromium.org
                CC: eric at webkit.org, fishd at chromium.org

This report is related to this bug in Chromium:

The bug itself does not actually affect Safari, even though tracing through
KURL it clearly thinks
is an invalid URL due to the presence of "|" in the host. It bothers checking
the host at all because it sees "://" and treats the URL as hierarchical.

Chromium has been very strict about never doing anything with invalid URLs,
since crazily formatted URLs have been the source of a number of security bugs
in different browsers in the past. We fast fail for any loads (and other
operations) if the valid bit isn't set on them. I think this is a generally
good idea.

This bug report boils down to: "Are you sure you want to be sending URLs you
think are invalid to the network stack and external protocol handlers?" I can't
see all the networking code and other stuff in Safari, so it's hard for me to
evaluate all the details of how it works and how big a risk this is.

In this case, of course, you want to send the URL to the external protocol
handler, and not doing that is what the Chromium bug is about in the first
place. The only way to make this work is to do what Firefox does, which I've
implemented (but is not currently checked in) for Chromium. Firefox keeps a
whitelist of known hierarchical schemes, and any URL not on that list is
considered non-hierarchical like "data". Chromium/Google-URL already has such a
list containing a few schemes, and so does even KURL (just consisting of "http"
and "https" which are hardcoded).

This results in less validation being done on the URL, which solves the problem
with the eDonkey URLs and a few other types. But there is still some minimal
validation that occurs and you can always rely on the isValid flag to test
whether a URL might be dangerous.

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list