[webkit-qt] [Qt] HTTP header injection vulnerability (QWebPage::userAgentForUrl)

Simon Hausmann simon.hausmann at nokia.com
Wed Sep 21 23:37:51 PDT 2011

On Wednesday, September 21, 2011 10:20:45 PM ext Jarred Nicholls wrote:
> Hey qtwebkittens,
> So we found an interesting HTTP header injection vulnerability with the
> QWebPage::userAgentForUrl API - see
> https://bugs.webkit.org/show_bug.cgi?id=68560.  As suggested by jeez, I'm
> posting this finding on the mailing list so it's not lost in the ether and
> any others can chime in.
> Not too sure where the permanent guard belongs, but I'm planning on adding a
> test case and a temp patch to FrameLoaderClientQt.cpp to protect this one
> scenario.  I'll follow up by scouring the API to see if any other relevant
> vulnerabilities exist.

My feeling is that the best place to protect against this is on PhantomJS level.

If you have access to the memory of the process and the QtWebKit API, you can do a lot
worse things than that :). I mean, we can't add a protection against QWebPage::setNetworkAccessManager, right?

In other words: The user of an API is trusted, also because he has access to the process
memory anyway. The content downloaded from the network cannot be trusted.

Do you trust the scripts executed in PhantomJS?


More information about the webkit-qt mailing list