Opened 7 years ago

Closed 7 years ago

#6197 closed defect (fixed)

[CHROME] HTTPS Everywhere causes email address foo@gmail.com to be redirected to foo@mail.google.com incorrectly

Reported by: alexmuller Owned by: dtauerbach
Priority: Medium Milestone:
Component: HTTPS Everywhere/EFF-HTTPS Everywhere Version:
Severity: Keywords: gmail, google, https everywhere
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Today I received an email that I wanted to opt out of (unsubscribe from). The URL given to opt out (in the footer) is:

http://careers.stackoverflow.com/email/optout/myemailaddress@gmail.com/CpEzg

The Chrome extension causes this URL to be redirected to:

http://careers.stackoverflow.com/email/optout/myemailaddress@mail.google.com/CpEzg

...where obviously the token given at the end of the URL doesn't match my email address, so the unsubscribe functionality is broken.

I've verified this is caused by the HTTPS Everywhere extension - disabling the extension causes the link to not be redirected. Nothing is displayed in the console, and the original GET is displayed as Pending in the Chrome network inspector.

Chrome extension version: 2012.5.1

Many thanks,

Alex

Child Tickets

Change History (8)

comment:1 Changed 7 years ago by pde

Wow this is a nifty bug!

comment:2 Changed 7 years ago by pde

Observation 1: @ is not a valid character for a URL (you're supposed to use %40 instead), but firefox seems to allow it anyway :(

comment:3 Changed 7 years ago by pde

<dveditz> pde: it's legal
<dveditz> within a path "The path may consist of a sequence of path segments separated by a
<dveditz> single slash "/" character. Within a path segment, the characters "/", ";", "=", and "?" are reserved."
<dveditz> pchar = unreserved | escaped | ":" | "@" | "&" | "=" | "+" | "$" | ","
<dveditz> (pchar is "path character") from section 3.3 of rfc 2396
<dveditz> "@" is also valid in the query part
<dveditz> just not the scheme or host part of a URI

comment:4 Changed 7 years ago by pde

Summary: HTTPS Everywhere causes email address foo@gmail.com to be redirected to foo@mail.google.com incorrectly[CHROME] HTTPS Everywhere causes email address foo@gmail.com to be redirected to foo@mail.google.com incorrectly

I added some printfs to rewrittenURI to see how the URL parser there was handling this URL

Got http-on-modify-request: http://careers.stackoverflow.com/email/optout/myemailaddress@gmail.com/CpEzg
userpass is
host is careers.stackoverflow.com

comment:5 Changed 7 years ago by pde

Erm, ignore that last message. This is definitely only a Chrome bug.

comment:6 Changed 7 years ago by pde

Owner: changed from pde to dtauerbach
Status: newassigned

This is a jsuri bug, in fact.

comment:8 Changed 7 years ago by dtauerbach

Resolution: fixed
Status: assignedclosed

Fixed with change to URI.js library in chrome-2012.9.21.

Note: See TracTickets for help on using tickets.