Bug 8770

Summary:

XMLHttpRequest should strip CR/LF characters from the URL

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

XML

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

brettw

Priority:

Version:

420+

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
test case (needs tcpdump)	none
proposed fix	darin: review+
Test case showing bug in host and scheme.	none

Alexey Proskuryakov

Reported 2006-05-07 06:07:54 PDT

I've just debugged a problem with a Web forum that didn't work in Safari because a CR/LF sequence managed to get into the request URL. Firefox (and, presumably, WinIE) strip CRLF characters rather than percent-encode them. Should investigate what other characters need to be stripped, and whether this applies to URLs other than those used in XMLHttpRequest.

Attachments
test case (needs tcpdump) (366 bytes, text/html) 2006-05-07 06:10 PDT, Alexey Proskuryakov	no flags	Details
proposed fix (2.00 KB, patch) 2006-05-11 12:58 PDT, Alexey Proskuryakov	darin: review+	Details Formatted Diff Diff
Test case showing bug in host and scheme. (371 bytes, text/html) 2007-12-19 09:54 PST, Brett Wilson (Google)	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2006-05-07 06:10:10 PDT

Created attachment 8142 [details] test case (needs tcpdump) Request from Safari: GET /?%0D%0A HTTP/1.1

Alexey Proskuryakov

Comment 2 2006-05-11 12:58:13 PDT

Created attachment 8251 [details] proposed fix Yes, both Firefox and WinIE strip CR, LF and TAB, and this happens for all URLs, not just XMLHttpRequest (I've tried IFRAME SRC, window.location and META HTTP-EQUIV Refresh). No other characters from 0x01... 0x20 are stripped (as tested with Firefox). No idea why they do this, doesn't really look like a security measure. My only wild guess is that this behavior originates with Gopher selector syntax :-)

Darin Adler

Comment 3 2006-05-11 18:06:53 PDT

Comment on attachment 8251 [details] proposed fix r=me

Brett Wilson (Google)

Comment 4 2007-12-19 09:46:09 PST

This bug is still very much open. The proposed fix only works for paths and reference fragments. If CR/LF/TAB appear in the host or scheme, KURL gets very confused. In the scheme, it won't even recognize it as an absolute URL, and in the host, not only will it fail, but in this case, it won't remove characters appearing later in the path. I will attach a testcase.

Brett Wilson (Google)

Comment 5 2007-12-19 09:54:09 PST

Created attachment 17991 [details] Test case showing bug in host and scheme. All three of the links should go to Apple. Firefox and IE agree about all of them, WebKit fails on all of them.

Alexey Proskuryakov

Comment 6 2007-12-19 11:09:24 PST

Could you please file a new bug for that? To avoid confusion, we generally don't reopen bugs if the fix was incomplete - only if it was completely wrong, and had to be rolled out.

Mark Rowe (bdash)

Comment 7 2007-12-22 01:29:44 PST

For reference, the fix for this was landed back in r14320. Marvin, it would be great if you could open a new bug about the issues you mentioned.

Darin Adler

Comment 8 2008-01-03 00:21:33 PST

I'm re-closing this bug. Marv, please open a new one.

Note You need to log in before you can comment on or make changes to this bug.