Version: 3.4.1 (using KDE KDE 3.4.1) Installed from: Debian testing/unstable Packages Informally a RFC2396 URI is: <scheme>://<authority><path>?<query> ABNF-formal: query = *uric uric = reserved | unreserved | escaped reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | "," unreserved = alphanum | mark mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")" escaped = "%" hex hex "<" and ">" should thus be escaped. However, if I send a GET request containing angle brackets within a parameter they are not ecaped by konqueror.
Can you give an example URL where this is a problem?
Sorry for the delay. I noticed konqueror does not URL-encode < and > when I tested our application server software with it. We use a apache module to translate HTTP requests into structured request XMLs we then send through a unix domain socket to the server for processing. Having parameter values that contain a < or > renders the request XML invalid since they must be entity encoded into < and >. Other browsers URL-encode < and >, thus the XML stays valid since %XX need not to be entity encoded. Since the RFC also mentions that the characters need to be escaped I figured this is worth to be reported.
Example: If I put http://bugs.kde.org/show_bug.cgi?id=111474&foo=1<2 manually into the location bar konqueror generates a HTTP request like: GET /show_bug.cgi?id=111474&foo=1<2 HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Kubuntu) [...] Where 'GET /show_bug.cgi?id=111474&foo=1<2 HTTP/1.1' should rather read 'GET /show_bug.cgi?id=111474&foo=1%3C2 HTTP/1.1' in my opinion. This request leads to a line '<parameter name="foo">1<2</parameter>' in our request XML which is invalid XML and should rather read '<parameter name="foo">1%3C2</parameter>'. At least that's what we expect. =)
the requested behaviour is indeed what mozilla firefox does, but I have not enough knowledge to say if this is 'better' in any way.
RFC2396 states that characters such as <, >, and " must be escaped with a % Hex Hex sequence. I can confirm that this behavior deviates from the RFC. It may open cross-site scripting attacks on some sites which pass an unfiltered Request URI in a hidden field (normally this is safe to not escape since the browser should have already done the escaping for you, regular users would not experience a problem, though arguably it's still sloppy). For example: <form action="submitComment.php" method="POST"> Comment:<br/> <textarea name="comment"></textarea> <input name="page_I_came_from" value="<?=$_SERVER['REQUEST_URI']?>"> <input type="submit"> </form> In Firefox (for sure 2 and 3), Safari (Leopard), Internet Explorer 5.5 - 7, and Opera (9), a url like http://site.com/page.php?"><script>alert(document.cookie)</script> causes no XSS. In Konqueror it does cause an XSS. Konqueror should rewrite invalid URLs to escape any characters into their % Hex Hex format before making the request. Failing to do so both violates the RFC, and enables cross-site scripting attacks which work only in this browser.
Also, this behavior is still present in Konqueror 3.5.9
As this is a security vulnerability (XSS) should the priority not be higher?
Is this valid even for KDE4 ?
Marked as WAITINGFORINFO until nobody will add more details.
Closing for lack of feedback.