Opened 6 years ago

Last modified 23 months ago

#10854 new defect

Limit IPv4 addresses to dotted-decimal form (as per RFC3986)

Reported by: oc Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-firefox-patch
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

RFC3986 specifies that host IPv4 addresses must be in dotted-decimal format (xxx.xxx.xxx.xxx) in a URI.

However, on certain platforms (Unices) Firefox also allows alternative formats: octal, base 256, single long int… There is a longstanding ticket to change this behavior, as alternate IP representations nowadays only serve for malicious address obfuscation or filters bypassing.

The Tor browser should stick to the RFC in order to prevent such abuses and present a uniform behavior across platforms.

Child Tickets

Change History (5)

comment:1 Changed 6 years ago by oc

As a bonus, this would fix the ABE predicate "leak" mentioned in #10419. In other words, TBB could use NoScript to allow (non-Tor) access to localhost without opening the door to intrusive fingerprinting or accidental information leakage.

comment:3 Changed 6 years ago by gk

Cc: gk added

comment:4 Changed 5 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added
Owner: changed from mikeperry to tbb-team

comment:5 Changed 23 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.