These all work (I'm using underscores instead of spaces to maintain clickable links on this page, but almost any characters work, including spaces) :-
http://www.google.com///
http://www.google.com///webhp
http://www.google.com//any_text_you_like_can_be_inserted_in_here/
http://www.google.com//any_text_you_like_can_be_inserted_in_here/webhp
http://www.google.com///search?q=oddity
http://www.google.com//any_text_you_like_can_be_inserted_in_here/search?q=oddity
And for the other Google services too.
Is this oddity known about? am I the last to notice? Is it a Google quirk or a more general web server quirk?
Anything useful or dangerous about it?
Here's a half-hearted phishing-like URL, where it's made to look like the search term is one thing [spoofed_word] but in fact it's another [oddity]. A *lot* more underscores can be used to push the latter part of the URL out of sight, but I've kept the example fairly short. Spaces (or periods, etc) work fine instead of underscores too :-
http://www.google.com//search&q=spoofed_word__________any_text_you_like_can_be_inserted_in_here/search?q=oddity
Here's a way of sharing a search URL, whilst retaining 'credit' and/or a reminder of it's source :-
http://www.google.com//Customised_Google_search_provided_by_www.iMilly.com_/search?q=oddity
Or even :-
http://www.google.com//[Sponsored_by____http://www.iMilly.com____Your_Premier_Source_of_High_Class_Spondoolics!!___]/search?q=oddity
And of course that type of URL construction could easily be built into the morass of browser Toolbars, or even the search tools bundled with the browsers themselves.
I hate to imagine what the SEO spammers might do with such subverted Google search URLs.
I suppose it might be combined with My Search History spam too (see :-
http://blogoscoped.com/forum/8186.html
And bloggers sometimes like to (and Bloggers must) use Google's redirector like so :-
http://www.google.com/url?&q=http://www.iMilly.com
But this works too[1] :-
http://www.google.com//_Link_via_Google_Blogoscoped_at_http://blogoscoped.com_/url?&q=http://www.iMilly.com
Ooh er, what might I have unleashed ...
Any other wrinkles?
Milly
[1] Though the redirector has always been susceptible to padding in this form anyway :-
http://www.google.com/url?&q=http://www.spam.com/?-Buy-Cheap-Spam-Here |
As for the multi-slashes, as far as I know that's normal server behavior. It works on my Apache as well: try http://blogoscoped.com///forum/
Interesting spoof URLs you found there. |
Hmm, yes, but on any of these, say, you're serving up an "HTTP/1.1 404 Not Found" response :-
http://blogoscoped.com//spooftext/forum/
http://blogoscoped.com//spooftext/forum/10977.html
http://blogoscoped.com/forum//spooftext/10977.html
I suppose that's what Google ought to be doing?
(I'm don't know much about server setups, by any means). |