[Fixed] Noscript tag Meta Refresh Quoted url Redirect bug

Bug reports and enhancement requests

[Fixed] Noscript tag Meta Refresh Quoted url Redirect bug

Postby juozas » Wed Jul 11, 2018 8:11 am

When scripting on target site is disabled and site contains meta refresh url with single quotes in the noscript tag, it redirects to wrong page such as original url + new url with quotes included that in many cases ends in 404 page.

When all addons are disabled page works ok and setting
Code: Select all
javascript.enabled
preference to false in
Code: Select all
about:config
when all addons disabled page redirects to correct page like it should do.

For example this Lithuanian site
Code: Select all
hxxp://wxw.numeris.info/869860104
redirects to
Code: Select all
hxxp://wxw.numeris.info/'hxxp://wxw.numeris.info/869860104?PageSpeed=noscript%27
which is a 404 page.
The offending tag is
Code: Select all
<noscript><meta HTTP-EQUIV="refresh" content="0;url='hxxp://wxw.numeris.info/869860104?PageSpeed=noscript'" /><style><!--table,div,span,font,p{display:none} --></style><div style="display:block">Please click <a href="hxxp://wxw.numeris.info/869860104?PageSpeed=noscript">here</a> if you are not redirected within a few seconds.</div></noscript>
In this example http in url replaced with hxxp and www replaced with wxw.

Edit: Fixed truncated noscript tag in above example.
Edit2: Bug fixed completely in AMO version 10.1.8.5

Noscript 10.1.8.2
Firefox 61.0.1
Ubuntu Linux 18.04 LTS, codename bionic
Last edited by juozas on Thu Jul 19, 2018 8:21 pm, edited 4 times in total.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
 
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Postby skriptimaahinen » Wed Jul 11, 2018 7:05 pm

Can confirm. Needs sanitation of single quotes out of the url if present.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
skriptimaahinen
Senior Member
 
Posts: 117
Joined: Wed Jan 10, 2018 7:37 am

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Postby Giorgio Maone » Thu Jul 12, 2018 12:11 am

Fix here (not released yet), thank you.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8604
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Postby therube » Thu Jul 12, 2018 9:55 am

Will there be a similar fix for NoScript 5.x ?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
User avatar
therube
Ambassador
 
Posts: 7131
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Postby Giorgio Maone » Thu Jul 12, 2018 3:21 pm

therube wrote:Will there be a similar fix for NoScript 5.x ?

Is NoScript 5 affected? As far as I can see there's already code there to handle quoted URLs...
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8604
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Postby therube » Thu Jul 12, 2018 4:39 pm

Oops, you're right.

Been using different computers & different settings.
When I looked the other day, all seemed OK - as I remembered.
Looking again today, to confirm, it looped over to 'PageSpeed=noscript'.
But... I forgot to enable, 'Forbid META redirections inside <NOSCRIPT> elements.

Set correctly, all is well.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
User avatar
therube
Ambassador
 
Posts: 7131
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: 10.1.8.2 Noscript tag Quoted Meta Refresh url Redirect b

Postby Giorgio Maone » Thu Jul 12, 2018 9:51 pm

Fixed in latest development build, thanks.
v 10.1.8.3rc11
=============================================================
x [XSS] Fixed InjectionChecker choking at some big JSON
payloads sents as POST form data
x Fixed meta-refresh emulation confused by quoted URLs
x Fixed regression - popup first row not showing the active
preset initially
x [ESR60] Fixed some edge cases still breaking feeds
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8604
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Postby juozas » Mon Jul 16, 2018 2:43 pm

This still happens in AMO version 10.1.8.4, the latest update from AMO didn't solve the thing. Still redirecting to wrong page when scripting on the site is turned off and meta redirect in noscript element has an url with quotes before and after it like posted above :\
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
 
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Postby therube » Mon Jul 16, 2018 2:50 pm

Is that a typo? There is no 10.1.8.4 (currently).

(And theoretically, there should be no difference between 10.1.8.3 release & 10.1.8.3rc11 - except the update channel.)

(Don't remember offhand if I ever tested the testcase against 10.1.8.3rc11 ?)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 SeaMonkey/2.49.3
User avatar
therube
Ambassador
 
Posts: 7131
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Postby juozas » Mon Jul 16, 2018 3:02 pm

Yes. 10.1.8.4 is posted in amo, as version in screenshot shows. Dunno what got messed up in the amo though :\
Image
Image
Also in actual amo page shows 10.1.8.4 not anything else, last screenshot taken 2018-07-16 18:05:07 (GMT+2, Summer time, Date time in the file name).
Last edited by juozas on Mon Jul 16, 2018 3:08 pm, edited 1 time in total.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
 
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Postby Giorgio Maone » Mon Jul 16, 2018 3:07 pm

juozas wrote:This still happens in AMO version 10.1.8.4, the latest update from AMO didn't solve the thing. Still redirecting to wrong page when scripting on the site is turned off and meta redirect in noscript element has an url with quotes before and after it like posted above :\

Ops, you're right, the fix was partial. Will go in next release, sorry.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8604
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Postby juozas » Mon Jul 16, 2018 3:10 pm

So I'll have to "downgrade" to 10.1.8.3 when it gets fixed :D it appears that 10.1.8.3 was already out in amo before, so no need to downgrade to previous version, the right choice is to opgrade
Last edited by juozas on Mon Jul 16, 2018 7:11 pm, edited 2 times in total.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
 
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am

Re: 10.1.8.2 Noscript tag Meta Refresh Quoted url Redirect b

Postby Giorgio Maone » Mon Jul 16, 2018 3:49 pm

juozas wrote:So I'll have to "downgrade" to 10.1.8.3 when it gets fixed :D

No, you actually need to upgrade to 10.1.8.5 ;)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
Giorgio Maone
Site Admin
 
Posts: 8604
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: [Fixed] Noscript tag Meta Refresh Quoted url Redirect bu

Postby therube » Mon Jul 16, 2018 11:42 pm

10.1.8.3rc11
http://www.numeris.info/869860104
rolls to
http://www.numeris.info/'http://www.numeris.info/869860104?PageSpeed=noscript%27

10.1.8.7
http://www.numeris.info/869860104
"rolls to"
http://www.numeris.info/869860104?PageSpeed=noscript


Which I guess is OK?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.4
User avatar
therube
Ambassador
 
Posts: 7131
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: [Fixed] Noscript tag Meta Refresh Quoted url Redirect bu

Postby juozas » Tue Jul 17, 2018 4:24 pm

The second one is correct. The script that redirects when no scripting is enabled is in the most of pages on the domain, not just the number pages such as shown in the example, also other language mirrors are located on the top right location of the pages.
Сделано в СССР
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
User avatar
juozas
Junior Member
 
Posts: 22
Joined: Sat Nov 25, 2017 8:44 am


Return to NoScript Development

Who is online

Users browsing this forum: No registered users and 4 guests