Some browsers convert pipe "|" to colon ":" in the file scheme

20 Jun 2011

I just thought this was odd, and may be exploited in cases where a security filter checks the string before the conversion takes place.

Here are the results of the DOM parsing for "file://c|/foo/bar". Internet Explorer and Google Chrome both convert the "|" to the ":" in the path component. Windows actually treats the "|" as a ":" in the path, which may also seem odd, but then why would these browsers feel the need to convert the character?

Test Cases
================

file://c|/foo/bar

c|/foo/bar

Results
================

RawUrl Browser
file:///c:/foo/bar MSIE 7.0
file:///C:/foo/bar Chrome/12.0.742.100
file:///c|/foo/bar Firefox/4.0.1
file://c|/foo/bar Safari/5.05
file://localhost/c|/foo/bar Opera/9.80

I can understand being liberal in accepting "|" characters in the path segment, even though RFC3986 and 3987bis would have you percent-encode it to "%7C". But I didn't realize that IE and Chrome would actually perform a transformation on the input in this way.

Gareth Heyes

2011-06-21T10:35:56.000Z

Awesome post! :)

Chrome also does this crazy stuff:
test

Eric Lawrence [MSFT]

2011-06-21T13:10:06.000Z

This is a legacy-compatibility feature of file URIs. IIRC, some version of Netscape did this and IE adopted it in the 1990s.

Eric Lawrence [MSFT]

2011-06-21T13:25:29.000Z

http://en.wikipedia.org/wiki/File_URI_scheme#Things_to_consider

Chris Weber

2011-06-22T13:40:54.000Z

Gareth, so people can see your test case I'm putting it in text here:

a href="c|test.txt"

That does seem crazy. Eric, gotta love that legacy-compat right? You know us security types all too well, and we certainly hear alarm bells when characters start converting from one thing to another.

dev/rnd

2011-07-20T04:37:00.000Z

Whacky, wonder what caused Netscape to do this back in the 90's?

lookout.net

Some browsers convert pipe "|" to colon ":" in the file scheme