Closed
Bug 308642
Opened 19 years ago
Closed 10 years ago
wrong interpretation of password in URI when semicolon present
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: bugzilla.50.mll, Unassigned)
References
(Depends on 1 open bug, )
Details
Attachments
(1 file)
|
(deleted),
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b2) Gecko/20050702 Hello there, NOTE: This is a bug I spotted in Firefox 1.5 beta [Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4] and previous versions, too. B but the rules at http://www.mozilla.org/support/firefox/bugs#mozilla said to check it in Mozilla, I found had it, too, so here we go: When you use the protocol://username:password@url scheme, and if there is a semicolon in the password, Mozilla & Firefox don't like it and usually do a google lucky search on "username:[part of the password before the semicolon]". FWIW, IE handles this fine. Reproducible: Always Steps to Reproduce: 1. Go to an url such as http://username:passwordwitha;semicolon@myurl.com Actual Results: I'm obviously not on the myurl.com site. On Mozilla, I get redirected to http://www.username.com/;semicolon@myurl.com On Firefox, I get redirected to http://www.webopedia.com/TERM/U/username.html Expected Results: Login to myurl.com with login "username" and password "passwordwitha;semicolon"
|
||
Updated•19 years ago
|
Assignee: general → darin
Component: General → Networking
Product: Mozilla Application Suite → Core
QA Contact: general → benc
Version: unspecified → Trunk
|
||
Comment 1•19 years ago
|
||
Semicolon's a reserved sub-delim character in URIs. What happens if instead you use http://username:passwordwitha%3Bsemicolon@myurl.com ?
|
||
Comment 2•19 years ago
|
||
Phil is right, the ';' needs to be hexencoded. Recommending Invalid for now. However if we ever move to RFC 3986 for urlparsing the role of ';' will be much smaller, I think we can loose the param-part of the url alltogether. The param will be part of path-segments and it will be up to every protocol if and where it recognizes params. This also calls for different ways to traverse path segments with '..'. Losing the param-part in urls would allow us to be able to parse this one right without encoding the ';'. So there is hope ...
(In reply to comment #1) > Semicolon's a reserved sub-delim character in URIs. What happens if instead you > use http://username:passwordwitha%3Bsemicolon@myurl.com ? It does work, both in Mozilla & Firefox. Thank you. (In reply to comment #2) > Phil is right, the ';' needs to be hexencoded. Recommending Invalid for now. > However if we ever move to RFC 3986 for urlparsing the role of ';' will be much > smaller, I think we can loose the param-part of the url alltogether. The param > will be part of path-segments and it will be up to every protocol if and where > it recognizes params. This also calls for different ways to traverse path > segments with '..'. Losing the param-part in urls would allow us to be able to > parse this one right without encoding the ';'. So there is hope ... I got about 25% of your comment. :) But my $0.02 are that IMHO anything between the ":" and the first "@" should be considered part of the password: there's no reason to parse the URI as if there could be a parameter next to the password string.
|
||
Updated•18 years ago
|
Assignee: darin → nobody
QA Contact: benc → networking
|
||
Comment 4•11 years ago
|
||
Is this still a problem? Note that the special-casing og ";" has been removed ~2 years ago.
|
||
Comment 5•10 years ago
|
||
This bug seems to have been fixed, as the previous comment says. I have written a unit test to check, and indeed, the colon is properly encoded.
|
|
||
Updated•10 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•