On Sep 24, 12:50 pm, "Peter Kasting" <[EMAIL PROTECTED]> wrote:
> On Wed, Sep 24, 2008 at 8:40 AM, Nicolas Sylvain <[EMAIL PROTECTED]>wrote:
>
> > On Wed, Sep 24, 2008 at 8:29 AM, Tom Limoncelli <[EMAIL PROTECTED]>wrote:
>
> >> (1) If I type [12345678900] into the omnibox, the suggestion is
> >>http://223.220.28.52/(the integer cast into an IPv4 address). It
> >> seems that this would be a way for spammers to obscure the IP address
> >> of their servers. Firefox and other browsers handle this
> >> differently. From a user standpoint, if I was typing "123signup.com",
> >> when I type the "123" I see 0.0.0.123 in the suggestion and could get
> >> confused. Of course, as I type the "s" of "signup" everything clears
> >> up, but it seems like a usability issue none the less.
>
> If by "Firefox and other browsers handle this differently" you mean "other
> browsers just open the IP without telling you what it is in dotted quad
> form", then you're correct. That seems _more_ subtle to me rather than
> less. Chromium defaults to searching for this input, not opening it, and if
> you elect to open it (which is a choice we _have_ to give users, since this
> is a valid form of IP address), we at least tell you what IP you're really
> going to. I don't see any problems with this behavior.
>
> > (2) If I type [10.10.010.10] the omnibox rewrites it as 10.10.8.10.
> >> When I've seen other software do that it was an indication that a libc
> >> function was used to convert the octets, and that concerns me (not all
> >> operating systems have secure libc's). It also provides many new ways
> >> for spammers to obscure their URLs. (0x123 works too).
>
> Again, hex and octal input is valid in IPs, and e.g. Firefox will open this
> just fine; this isn't Chromium exposing new avenues for spammers, it's us
> supporting how IP addresses work.
While I agree that an integer for an IP address is technically a valid
IP address, it isn't a format that is in common use and I wouldn't be
surprised to find an RFC that deprecates it. I agree that Chrome's
handling of the issue is better then other browsers.
> I don't know what the particular concern on base conversion is, if you have
> details perhaps you can provide them.
I think I'm conflating that issue with something else. In the past,
seeing 010 being treated as "8" is a tip to look for the use of scanf,
which has been the source of buffer overruns. But that's a different
issue. Sorry for the confusion.
Tom
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Chromium-discuss" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/chromium-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
