Bug 111474 - angle brackets don't get escaped in URLs
Summary: angle brackets don't get escaped in URLs
Status: RESOLVED NOT A BUG
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: 3.4.1
Platform: Debian testing Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-08-25 12:03 UTC by Heiko Hund
Modified: 2012-06-18 17:39 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Heiko Hund 2005-08-25 12:03:50 UTC
Version:           3.4.1 (using KDE KDE 3.4.1)
Installed from:    Debian testing/unstable Packages

Informally a RFC2396 URI is:

      <scheme>://<authority><path>?<query>
      
ABNF-formal:

      query         = *uric

      uric        = reserved | unreserved | escaped
      
      reserved    = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" |
                    "$" | ","
                    
      unreserved  = alphanum | mark
      
      mark        = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
      
      escaped     = "%" hex hex

"<" and ">" should thus be escaped. However, if I send a GET request containing angle brackets within a parameter they are not ecaped by konqueror.
Comment 1 Philip Rodrigues 2006-09-06 00:19:13 UTC
Can you give an example URL where this is a problem?
Comment 2 Heiko Hund 2006-10-20 15:54:32 UTC
Sorry for the delay.

I noticed konqueror does not URL-encode < and > when I tested our application server software with it. We use a apache module to translate HTTP requests into structured request XMLs we then send through a unix domain socket to the server for processing. Having parameter values that contain a < or > renders the request XML invalid since they must be entity encoded into &lt; and &gt;. Other browsers URL-encode < and >, thus the XML stays valid since %XX need not to be entity encoded. Since the RFC also mentions that the characters need to be escaped I figured this is worth to be reported.
Comment 3 Heiko Hund 2006-10-20 16:12:42 UTC
Example: If I put http://bugs.kde.org/show_bug.cgi?id=111474&foo=1<2 manually into the location bar konqueror generates a HTTP request like:

GET /show_bug.cgi?id=111474&foo=1<2 HTTP/1.1 
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu) 
[...]

Where 'GET /show_bug.cgi?id=111474&foo=1<2 HTTP/1.1' should rather read 'GET /show_bug.cgi?id=111474&foo=1%3C2 HTTP/1.1' in my opinion.

This request leads to a line '<parameter name="foo">1<2</parameter>' in our request XML which is invalid XML and should rather read '<parameter name="foo">1%3C2</parameter>'. At least that's what we expect. =)

Comment 4 baum-im-wald 2007-01-07 21:23:06 UTC
the requested behaviour is indeed what mozilla firefox does, but I have not enough knowledge to say if this is 'better' in any way.
Comment 5 MightyE 2008-05-25 03:50:35 UTC
RFC2396 states that characters such as <, >, and " must be escaped with a % Hex Hex sequence.

I can confirm that this behavior deviates from the RFC.  It may open cross-site scripting attacks on some sites which pass an unfiltered Request URI in a hidden field (normally this is safe to not escape since the browser should have already done the escaping for you, regular users would not experience a problem, though arguably it's still sloppy).

For example:
<form action="submitComment.php" method="POST">
    Comment:<br/>
    <textarea name="comment"></textarea>
    <input name="page_I_came_from" value="<?=$_SERVER['REQUEST_URI']?>">
    <input type="submit">
</form>

In Firefox (for sure 2 and 3), Safari (Leopard), Internet Explorer 5.5 - 7, and Opera (9), a url like http://site.com/page.php?"><script>alert(document.cookie)</script> causes no XSS.  In Konqueror it does cause an XSS.

Konqueror should rewrite invalid URLs to escape any characters into their % Hex Hex format before making the request.  Failing to do so both violates the RFC, and enables cross-site scripting attacks which work only in this browser.
Comment 6 MightyE 2008-05-25 03:53:26 UTC
Also, this behavior is still present in Konqueror 3.5.9
Comment 7 Dotan Cohen 2008-06-28 23:52:12 UTC
As this is a security vulnerability (XSS) should the priority not be higher?
Comment 8 FiNeX 2008-06-29 10:48:14 UTC
Is this valid even for KDE4 ?
Comment 9 FiNeX 2010-08-15 22:37:24 UTC
Marked as WAITINGFORINFO until nobody will add more details.
Comment 10 Myriam Schweingruber 2012-06-18 17:39:31 UTC
Closing for lack of feedback.