[Smerity]

Tangentially related, I was performing an analysis of the billions of links available in Common Crawl[1] and ran across an interesting error: there was one link where the port number was 18779690999[2].

The library I was using converted the port text into a 32 bit integer but the library didn't account for the possibility that someone supplied a port well over the 32 bit int limits. I was curious how many tools that use URLs would suffer similar fates and whether there might be any interesting security vulnerabilities.

Just goes to show, no matter how much crazy you've seen, there's likely crazier things hidden from you across the Internet ;)

[1]: http://commoncrawl.org/ [2]: https://twitter.com/Smerity/status/576339945041707008

[ahoge]

The port number is supposed to be a 16-bit number though. So, anything above 65535 is malformed.

http://en.wikipedia.org/wiki/Port_%28computer_networking%29

[Smerity]

Agreed that it's malformed. My point was more that I'm curious how many other libraries fail badly when confronted with an unexpectedly large port. It's the edge cases / "no-one would ever be silly enough to do that" that quite frequently lead to security issues =]

[jlblatt]

Yes, that's why I feel like this is more significant than a simple crash at first glance- no one would purposefully craft a 256+ unchecked character URL, unless they are being malicious, in which case they absolutely will craft a 256+ unchecked character URL.

[userbinator]

URLs can definitely get rather long if they contain lots of query data, and the de-facto limit seems to be around 2KB[1]. It's still not acceptable for such URLs to crash the browser though.

[1] http://stackoverflow.com/questions/417142/what-is-the-maximu...

[breckenedge]

Sure looks like a toll-free phone number: 1-877-969-0999. Google hints relation to reporting natural gas leaks.

Edit - followed links