Opened 7 years ago

Closed 10 months ago

#10854 closed defect (wontfix)

Limit IPv4 addresses to dotted-decimal form (as per RFC3986)

Reported by: oc Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-firefox-patch
Cc: gk Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

RFC3986 specifies that host IPv4 addresses must be in dotted-decimal format (xxx.xxx.xxx.xxx) in a URI.

However, on certain platforms (Unices) Firefox also allows alternative formats: octal, base 256, single long int… There is a longstanding ticket to change this behavior, as alternate IP representations nowadays only serve for malicious address obfuscation or filters bypassing.

The Tor browser should stick to the RFC in order to prevent such abuses and present a uniform behavior across platforms.

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by oc

As a bonus, this would fix the ABE predicate "leak" mentioned in #10419. In other words, TBB could use NoScript to allow (non-Tor) access to localhost without opening the door to intrusive fingerprinting or accidental information leakage.

comment:3 Changed 7 years ago by gk

Cc: gk added

comment:4 Changed 6 years ago by erinn

Component: Firefox Patch IssuesTor Browser
Keywords: tbb-firefox-patch added
Owner: changed from mikeperry to tbb-team

comment:5 Changed 3 years ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

comment:6 Changed 10 months ago by gk

Resolution: wontfix
Status: newclosed

Seems this got resolves as INVALID on Mozilla's side. Nothing we want to implement either.

Note: See TracTickets for help on using tickets.