[WEB SECURITY] file scheme handling of the "|" character

Chris Weber chris at casabasecurity.com
Tue Jun 21 14:45:12 EDT 2011


While on the topic of URI parsing, were you all aware of this behavior?

http://www.lookout.net/2011/06/20/some-browsers-convert-pipe-to-colon-in-the
-file-scheme/

I know someone testing Webkit was as it's in their list of test cases.  But
I did not realize that some browsers, MSIE and Chrome, will literally
convert the "|" to a ":" in the drive letter of the path component.

I can see this being a problem for security filters, but can't think of
anything specific.

-Chris





More information about the websecurity mailing list