21977 2008-10-30 11:26:01 -0700 KURL should prohibit most escape sequences in hostnames 2023-05-22 03:47:21 -0700 1 1 1 Unclassified WebKit Platform 528+ (Nightly build) All All RESOLVED INVALID P2 Normal --- 37641 1 brettw webkit-unassigned abarth annevk oldest_to_newest 97140 0 brettw 2008-10-30 11:26:01 -0700 KURL allows hostnames such as "hello%03world" or even more scarily "hello%00world" or "hello%2fworld" (which will unescape to "hello/world"). If the URL is extracted and unescaped (many of the component getters unescape by default, including host()) and passed to another system, such as the native OS's URL object, it could be treated as a completely different URL, with different security policy. Google Chrome uses the lookup table at the top of this file: http://code.google.com/p/google-url/source/browse/trunk/src/url_canon_host.cc Characters marked with "kEsc" are allowed to be escaped, while characters marked with 0 are disallowed either escaped or unescaped in hostnames. This table prohibits control charcters, characters that may change the parsing of the URL if unescaped like /?#, and NULL. I think KURL needs to do the same. 1956899 1 annevk 2023-05-22 03:47:21 -0700 KURL is gone.