The link that could crash Google Chrome!

A few weeks ago there was a link released to the public that could crash Google Chrome. It looks like this: http://a/%%30%30

Note that this URL does not crash other browsers like IE, Edge or Firefox due to the way those browsers handle the URL.

The Basics

You cannot type certain characters into a URL, because they have special functions or are just unsupported. To make up for this, browsers understand a percent sign and a number after it as a character which it can decode to get the “real” URL. To understand why Google Chrome crashes, we must first decode the URL.

Decoding the URL

At the end of the URL is this: %%30%30 – %30 gets decoded to 0. It is the same 0 that you would type with your keyboard, and so, we have this: %00. If we decode it again, the %00 gets decoded to a NULL character, which is an invalid character for URLs.

Note that if you had just typed http://a/%00 the browser would detect it as an invalid URL and the bug would not work.

However with Google Chrome, before the decoder is run a second time, the URL is marked as a safe URL to use. Therefore, when Chrome tries to connect to that address, it fails and realises that the URL is invalid. This (for an unknown reason) causes Google Chrome to pop up a window saying “Something has gone terribly wrong here…” and kills Google Chrome.

Summary 

When this URL was released to the public, I tested it with my browser that I am currently developing. My browser crashed as well. xD

I have fixed it if you were wondering 🙂

If you are reading this, the bug has already been fixed with Google Chrome. Chrome now changes the URL to http://a/%2500 to prevent crashes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s