Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

URL detection flaw causes OS X apps to crash

Marco Tabini | Feb. 5, 2013
Over the weekend, reports of a rather curious OS X bug were reported with a mixture of amusement and surprise. Affecting only recent versions of Mountain Lion--including, according to some reports, as-yet unreleased betas of the operating system--the bug manifests itself in the form of a crash every time you type File:/// (with an uppercase F) inside most standard text input controls like those you can find in a Web form or in text editors like TextEdit.

Over the weekend, reports of a rather curious OS X bug were reported with a mixture of amusement and surprise. Affecting only recent versions of Mountain Lion--including, according to some reports, as-yet unreleased betas of the operating system--the bug manifests itself in the form of a crash every time you type File:/// (with an uppercase F) inside most standard text input controls like those you can find in a Web form or in text editors like TextEdit.

Bugs are nothing new, of course, but this one is particularly interesting because it affects almost every app that uses OS X's standard text-input mechanisms. Luckily, it's a relatively minor issue that occurs only rarely in real-life use, and can be easily addressed by a few mouse clicks in the right System Preferences pane.

What's happening?

Recent versions of OS X include a feature, called data detectors, which allows apps to automatically recognize certain kinds of information when it appears in a piece of text. You can see it at work whenever Mail detects that a message you have received contains an address or a phone number and allows you to, for example, create an entry in the Contacts app at the click of a mouse.

One of the jobs entrusted to the detectors is that of recognizing Internet URLs. Thus, when you type something like http://macworld.com, an app can use data detectors to automatically recognize it as a URL and make it clickable. As you can imagine, this greatly enhances the user's experience, since the alternative would be to manually copy-and-paste Web addresses into a browser, which is both time consuming and error prone.

In addition to website addresses, URLs that start with the prefix file:/// can also be used to identify files that reside locally on your computer, and this is where our bug comes into play. When you type File:/// anywhere in an affected app, data detectors correctly recognize that you are trying to input a file URL and attempt to extract it so that it can be highlighted or otherwise manipulated by the host app, just like any other address.

Crucially, however, this process also contains a bit self-validation code designed to make sure that the data detector did its job properly and that it was not somehow fooled into recognizing an invalid URL--something that could result in improper operation, or even a security vulnerability. Unfortunately, the validation code, called an assertion, cannot make the distinction between uppercase and lowercase characters properly; thus, when you start a URL with the word File instead of file, the operating system correctly detects the URL, but the validation code fails, causing the crash.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.