THERE'S NOTHING MORE alluring than a big red button that says "Do Not Touch", and this one is a doozy.
If you type, "http://a/%%30%30" into Google Chrome, it will bork your
browser rather spectacularly. We can see you reaching to launch Chrome
now. Stop it. Really, you don't want to try it.
We did. It crashes your browser and anything connected to Chrome such as Hangouts.
Essentially, the bug is caused by adding a NULL character to a web address. It shouldn't work, but it does.
A bug report in Chromium with the audacious title "GURL
re-canonicalization unescapes a second time, can invalidate
previously-valid URL", submitted by Andris Atteka, appears to show the
fault as being present in Chrome 45 and still crashing in current Canary
builds.
Google has said that it is "working on a fix" but there seems to be some debate in the community as to what a fix looks like.
You'll notice we've not hyperlinked to the offending string either
because even hovering a mouse over the characters will trigger the
effect.
It's a mild inconvenience, essentially. There's no security risk,
there's no permanent damage. But with web browsers being such a central
part of the computing experience, a weakness like this is bound to raise
questions as to what else can go wrong.
Chrome, as one of the biggest browsers on the planet, has to be seen
to be stable, and so Google will want to ensure that this "feature" is
fixed as soon as possible.
With it being non-security related, Atteka won't get the bug bounty
that Google offers, just the satisfaction of knowing that there's
millions of Chrome user who are slightly less inconvenienced as a result
of his efforts.
Chrome news has been thin on the ground lately as Google's focus remains on the release of Marshmallow, set to be unveiled along with some new handsets on September 29th. µ
Cr : Chris Merriman / The Inquirer
ไม่มีความคิดเห็น:
แสดงความคิดเห็น