Bug 21977 - KURL should prohibit most escape sequences in hostnames
Summary: KURL should prohibit most escape sequences in hostnames
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks: 37641
  Show dependency treegraph
 
Reported: 2008-10-30 11:26 PDT by Brett Wilson (Google)
Modified: 2023-05-22 03:47 PDT (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brett Wilson (Google) 2008-10-30 11:26:01 PDT
KURL allows hostnames such as "hello%03world" or even more scarily "hello%00world" or "hello%2fworld" (which will unescape to "hello/world").

If the URL is extracted and unescaped (many of the component getters unescape by default, including host()) and passed to another system, such as the native OS's URL object, it could be treated as a completely different URL, with different security policy.

Google Chrome uses the lookup table at the top of this file:
http://code.google.com/p/google-url/source/browse/trunk/src/url_canon_host.cc
Characters marked with "kEsc" are allowed to be escaped, while characters marked with 0 are disallowed either escaped or unescaped in hostnames. This table prohibits control charcters, characters that may change the parsing of the URL if unescaped like /?#, and NULL. I think KURL needs to do the same.
Comment 1 Anne van Kesteren 2023-05-22 03:47:21 PDT
KURL is gone.