[Webkit-unassigned] [Bug 174267] New: Selecting and right-clicking URL-like strings with IDNA-disallowed characters in host or authority causes rendering engine crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 7 12:40:45 PDT 2017 

https://bugs.webkit.org/show_bug.cgi?id=174267

            Bug ID: 174267
           Summary: Selecting and right-clicking URL-like strings with
                    IDNA-disallowed characters in host or authority causes
                    rendering engine crash
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Macintosh
                OS: macOS 10.12
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: New Bugs
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jesse at jesseshapiro.net

Created attachment 314862

  --> https://bugs.webkit.org/attachment.cgi?id=314862&action=review

Reproduction cases

Reproduced in MacOS 10.12.5 with Safari 10.1.1 (12603.2.4) as well as WebKit Nightly 10.1.1 (12603.2.4, r219255).
A friend attempted to reproduce the failure case with OS X 10.10.4 and Safari 8.0.7 (10600.7.12), and did not observe the problematic behavior.

Expected behavior:

Selecting any given amount of arbitrary text and right-clicking it does not crash the webpage process.

Actual behavior:

When selecting and then right-clicking text of the following format, the webpage process crashes:

1. The text has the appearance of a URL (scheme://host at a minimum). The scheme need not be an actual recognized scheme.
2. The host and/or authority component of the supposed URL contain one of a range of characters. All known reproduction cases involve characters that are IDNA disallowed. For example, Ⴀ or …. Any of these characters in the scheme, port, or path of the URL do not cause a crash.

This is easiest to reproduce when the text in question the user-visible text of an <a> tag, since right-clicking a link selects the text. Thus, an HTML file with minimal reproduction cases is included. However, it can be reproduced by simply selecting plain text, and then right-clicking. Demonstration:

http://Ⴀ

Crash log to be attached after submission. Looking at it, it appears as though upon right-clicking any selected text, a check is made to determine if it's a navigable URL, and the error occurs in this process.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170707/0c7d7f50/attachment.html>

More information about the webkit-unassigned mailing list