Firefox/Mozilla exploit semi-permanenet fix

Roger Oberholtzer roger
Thu Feb 10 11:37:00 PST 2005 

On Thu, 2005-02-10 at 14:40, Net Llama! wrote:
> On Thu, 10 Feb 2005, Roger Oberholtzer wrote:
> > On Wed, 2005-02-09 at 16:23 -0800, Bill Campbell wrote:
> >
> > > >No side effects? This allows all regular sites?
> > >
> > > It should allow anything with legitimate ascii characters in the URL.
> >
> > 'legitimate'? I think my ??? are hardly bastards! Perhaps you meant 'the
> > traditional ASCII printable characters between 32 and 127'?
> >
> > Although we do not use them, the official URL definition does allow
> > these characters in URLs. Up to two or so years ago, the Swedish NIC
> > would not allow domain names with '???'. They now do as it is an allowed
> > part of the standard. So, in this sense, '?????????' and so on are
> > legitimate...
> 
> Do you have an example of a real domain that uses them?

Info on this can be found here:

http://www.nic.se/english/idninfo.shtml

This is how these names can be handled in the .se domain. I don't know
if this applies in all top level domains.

A test DNS entry from NIC.SE is:

http://www.gr?tt?rg?tt.se/

How well this works for you depends on your browser. For example, I see
that Konqueror (KDE 3.1) converts it to  

http://www.gr%F6tt%E4rg%F6tt.se/

and then complains that the host cannot be found, while Firebird
converts it to 

http://www.xn--grttrgtt-3za1pf.se/

and makes the same complaint.

I think the general idea is that the user types the 'real name'
(http://www.gr?tt?rg?tt.se), and the browser (DNS maybe) modifies it to
something more conservative, which is used in DNS lookups. The converted
name should never really be seen. It is buggy/incomplete browser 
implementations of this that are problematic.

I have not found a way to access these sites. But the names are
supported in some areas of the 'net by an international standard.

+????????????????????????????+???????????????????????????????+
? Roger Oberholtzer          ?   E-mail: roger at opq.se        ?
? OPQ Systems AB             ?      WWW: http://www.opq.se/  ?
? Nybrogatan 66 nb           ?    Phone: Int + 46 8   314223 ?
? 114 41 Stockholm           ?   Mobile: Int + 46 733 621657 ?
? Sweden                     ?      Fax: Int + 46 8   314223 ?
+????????????????????????????+???????????????????????????????+

More information about the Linux-users mailing list